Tom, our head risk management advisor, walks around with a $100 bill in his pocket. At training sessions, hell set that $100 bill in front of someone and put a stack of his personal bank records next to it. Then he asks, Which one should I be more afraid to turn my back on?
Anyone who works in finance is quick to catch his point. They know that his personal information is worth far more than $100. Its worth more to a crook, and its worth more to Tom whod have to spend at least 10 times that clearing up a case of identity theft.
But what we understand in a training session doesnt always translate into daily action. We get hired for enterprise risk management to walk through financial institutions doing risk assessments and social engineering tests. We know were never going to see even a $20 bill lying out. Thatd be heresy in a bank. But walk by an open cube, and we might find 20 home loan applications ripe for the plucking.
Here are a few daily reminders were good at protecting cash: 18-inch-thick steel reinforced concrete vaults, timed vault doors, elaborate alarm systems, cash counted and verified daily, teller drawers locked and stored in the vault overnight, robbery training.
Now ask, how are we reminded about information security? Remember those loan files sitting out all day and night?
If your bank or credit union is held up at gunpoint and cash is stolen, you only have to tell your regulator and the FBI. Sure, itll make the news, but anyone who hears about it feels bad for the staff and the bank. The public assumes you did nothing wrong and that you were a victim. (The banks have locks, vaults and alarms after all)
However, if your information network is breached, you not only have to tell regulators and authorities, you may have to notify customers. Youll get a ton of press and your customers and the public wont see you as a victim but rather as a business that didnt do its job. (Dont they have a firewall and passwords?)
Now think about the impact on your customers. When cash is stolen, your customers are fine. They arent out anything. But when their identity is stolen, they have to work hard to get it back and they never really know if theyre made whole. (Am I finally through calling everyone and switching things? Did I get everything? Im so mad at that bank! )
Like cash security, information security is everyones responsibility. And its a cultural shift that needs a champion in your organization.
The truth is, its harder to manage information than it is to manage money. Theres no way to be 100 percent protected when it comes to enterprise risk management, but if you organize yourself, train, and use some better tools, you can limit your risks. Make yourself better armed than you competitors and you wont be the low-hanging fruit.
About the Author
Pete Griffith is CEO of Supernal, makers of the Scout risk management dashboard. Find him online at www.supernal.com and on Twitter @SeeScoutRun.
