Credit Unions cannot protect the confidentiality, integrity, and availability of information in highly networked systems without the involvement of all staff. We use these systems daily, and they are integrated across department lines and locations. It is because of this complexity that we must train our staff and users. In this training, credit union staff must:
- Address roles and responsibilities related to their credit union’s mission.
- Understand their organization’s IT security policy, procedures, and practices; and
- Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible.
Today, many reports and publications make the case that people are one of the weakest links in attempts to secure systems and networks. The “people factor” - not technology - is key to providing an adequate and appropriate level of security. If people are the key but are also a weak link, more and better attention must be paid to this “asset.”
The way to address this risk is to implement a robust credit union awareness and training program. It is critical to ensure that people understand their IT security responsibilities, organizational policies and correctly use and protect the IT resources entrusted to them.
If user error is a risk, then users are the largest audience in any organization and are the most critical group of people who can help to reduce unintentional errors and IT vulnerabilities. Users must:
- Understand and comply with CU security policies and procedures.
- Be appropriately trained in the rules of behavior for the systems and applications to which they have access.
- Work with management to meet training needs.
- Keep software/ applications updated with security patches; and
In summary, users must have full awareness of actions they can take to protect their member information. These actions include, but are not limited to, proper password usage, data backup, and proper antivirus protection. Users must know how to report any suspected incidents or violations of security policy and follow rules established to avoid social engineering attacks and actions to deter the spread of spam or viruses and worms.
Set up a schedule of training rather than a once-a-year blast. A consistent message heard often will stick with the users much longer. There are many sources of educational material and services from the government, academia, and commercial sources. Take the time to build an effective plan for your credit union. The benefits reach both short and long term, and our members will be more secure from our efforts.