Pub. 8 2019 Issue 1

21 S P R I N G | 2019 F E A T U R E dates, is a key step to take toward ensuring that these systems can be replaced in a timely manner. Inadequate Training Against Phishing and Social Engineering Attacks All companies face risks associated with social engineer- ing attacks in which the attacker targets the human element of security. In social engineering attacks, the attacker tries to convince an employee to perform an unknowingly malicious action. Therefore, it is important to train employees to be suspicious of any unsolicited calls, emails, or even face-to-face interactions in which someone is asking about confidential information. Employees should be instructed to avoid click- ing links or opening attachments unless they can verify that they are legitimate. To supplement training, utilize internal social engineering tests that simulate an actual attack to help employees identify and respond to malicious activity. Failing to Follow Established Policies and Procedures The final frequently observed security mistake to avoid is that of employees not being aware of – or not following – documented company policies and procedures. As with social engineering awareness, extensive employee training is needed to ensure all applicable employees are made aware of the proper procedures to follow. When new policies are put into place or existing policies are updated, employee train - ing processes should be changed accordingly, and employees should be made aware of the changes in a timely manner. These vulnerabilities are not secret, and most attackers know to look for these weaknesses. In the midst of the ever- changing security landscape, it is important to address these common areas attackers know are often vulnerable. Take the necessary steps to ensure appropriate technical controls are in place and train employees to be security-minded. Address- ing these five common mistakes will greatly increase the security of your institution. Andrew Hettick is an Audit and Security Consultant for CoNetrix. CoNetrix is a technology firm dedicated to understanding and assisting with the information and cyber security needs of community banks. Offerings include: information security consulting, IT/GLBA audits, security testing, cloud hosting and recovery solutions, and tandem software, a security and compliance software suite designed to help financial institutions create and maintain their Information Security Programs. Visit our website at www.conetrix.com.