The need for information security awareness is continuous, in addition to being multi-disciplinary and multi-dimensional. It is imperative to first digest that information security is a process, not a product. An information security awareness training program thus, needs to maintain the equilibrium between usability, productivity and security.
In this context, Central Bank of India (Central Bank), one of India’s oldest banks, has been widely recognized in the industry for its security training and awareness programs. Central Bank has three training colleges at Mumbai, Kolkata, and Bhopal and seven other training centers. Recognizing that information technology (IT) is now an integral part of the bank’s operations and not just a facilitator, the emphasis is much more on information security awareness around IT systems. With rapidly changing environmental variables, effective information security awareness training in banking is a continuous process and the challenges involved, are many.
Security achievable through policies at a hardware or software level is limited — the weakest link always being the human element. A tradeoff exists between security and user-friendliness. For example, while a 16-digit alpha-numeric password is extremely strong, it is also difficult to remember, which adversely affects usability.
The first challenge to disseminating security awareness training at a large bank like Central Bank is its size. The age profile of the employees can be an issue when imparting security awareness training, since perception and adaptability decrease with age. Getting older staff to adopt new norms is an ongoing challenge, requiring constant reinforcement, if best practices are to become habits. Prevention is always better than cure, in this case.
Robust information security policies divided by role
Having a robust security policy is central to formulating an effective information security awareness program. It must be remembered that security controls mandated by the security policy should not compromise user productivity.
While the usual practice with information security awareness programs is to follow a baseline approach, awareness training at Central Bank is divided on the basis of need and role. Through segregation, awareness training can be optimally imparted where needed.
For instance, normal users don’t need much instruction, whereas technical personnel require a more detailed approach. Similarly the requirements of a database administrator, an application programmer, and a network administrator are different. The challenge of security awareness training can therefore be expanded to how to evolve a particular policy, according to end user need.
Incentive programs and integrated training
Incentives can go a long way in enlisting interest and co-operation. Central Bank provides incentives to employees opting for professional certifications like CISSP and CISA. Since the fees for these courses are usually in dollars, they are prohibitively expensive for individuals.
By offering sponsorship benefits only after the exams are passed, a return on investment is ensured. Employees pursuing certifications from the Indian Institute of Banking and Finance (IIBF) such as Certified Information Systems Banker (CeISB), which specializes in training information security auditors, are also included under the sponsorship scheme.
Across Central Bank’s training centers, one class per course is exclusively on information security awareness. Additionally, quizzes on information security awareness are published in an in-house journal, for which a certificate is awarded.
Awareness campaigns emphasizing real-world scenarios
Central Bank also imparts security awareness training through site visits at remote branches, where presentations specifically addressing information security are conducted for employees. These presentations are constantly updated with information on the latest vulnerability and exploits in banking. Employees are encouraged to follow a clean desk policy as far as sensitive information is concerned. Inter-office memos are also sent regularly, to highlight the best practices, dos, and don’ts.
Stress is placed on correlating information security awareness with actual real-world instances and emphasis is placed on maintaining regulatory compliance, without compromising business efficiency. An endeavor should thus be made to impart security awareness training, keeping real world risks, and fraud scenarios in mind.
It is unreasonable to presume that security incidents can be prevented all together. It is important to realize that while security incidents will happen, the task is to reduce the surface of attack rather than aim for invulnerability.
About the author: S K Mishra is the assistant general manager and chief information security officer at Central Bank of India. He is an alumnus of the Indian School of Business, and visiting faculty at various institutes, including the Jamnalal Bajaj institute of management studies, Mumbai University. The views expressed in this article are the author’s own and not those of the bank.
(As told to Varun Haran)
If you would like to comment on this article, please send your feedback to vharan at techtarget dot com.