We will be having our annual training session on customer information security and was wondering if anyone out there had any new and exciting ways to get the message across. The majority of the audience will be ordinary bank folk, not IT gurus. Does anyone have any training materials they would be willing to share?

Want to get the basic message out (shred, log off, lock up files, etc.). Also thought we should cover phishing, spoofing, etc.

Any ideas?

How about a skit showing a desk covered with sensitive information such as loan applications, copies of bank statements, NSF list etc. One scene takes place during employee's lunch hour when another customer or a vendor snoops through the information and a second scene afterhours when a cleaning person has access to the information.

There are several things in Banker Tools that could be used.

1. Post one or two of our information security awareness signs in our training room. The one on "Passwords are like toothbrushes . . ." always gets a laugh. Awareness signs.

2. Use the Information Security section of the SKIPO Training Game. SKIPO

3. Utilize the Employee Guide to Information Security posted by Jesse Torres. Employee Guide

4. Recruit a couple of "hams" in advance from among your staff and have them act out some skits that illustrate how information security can be compromised. Here are some possibilities:
-- Do a skit where one person plays a bank employee and another is a pretext caller, pretending to be one of your bank's customers. Have the pretext caller use various ruses to try to get around your identity confirmation procedures.
-- Set up a table or desk up front with a computer monitor and some files and two chairs. With one person pretending to be a bank employee and the other a "customer," have the employee leave the room and the "customer" then rifle through the paper on the desk and the computer to try to quickly obtain some confidential information.

You can also have employees make up passwords that aren't the ones they ACTUALLY use, but are ones they might use. Then, with an LCD projector and an Internet connection, take the list of passwords they've created and run them through this password strength meter to graphically illustrate whether they are strong or weak.
Password strength test.

Play "Guess the Password." Have each employee pick one other employee and make a list of words, numbers, etc. that they believe that individual might have used as a password, or part of a password. Kids' names, pets' names, street addresses, car types, favorite foods, singers, artists, vanity license plates -- whatever they know about the other person's life and interests -- in order to show how a determined hacker can do a little research and successfully compromise a password if it's not secure enough (in terms of its composition).

From the hip --

• Bring in a wastebasket that you've salted with a few tasty morsels of customer information. Perhaps you can find a genuine letter from a customer asking for something from the bank, where the letter includes some key data like SSN or account number along with the name.
  
• Bring in a laptop computer with some customer files on it.
  
• Ask a cooperative lender to provide some choice bit of compromising "dirt" from a credit file that could bite the bank in the a$$ets if it were found in the local landfill.
  
• Phony up an email exchange (start with a message from your home email address) in which a customer supplies confidential personal information -- account number, SSN, whatever -- and the email reply from the bank includes a caution about sending confidential data via unsecure email, along with a verbatim copy of the customer's original message.
  
• Pose for a photo in janitor's garb as you scrutinize what's obviously a loan file left sitting on a lender's desk. Label the "file" in big letters, and use a non-lender's area for the photo shoot, so you aren't perceived as targeting a particular lender (unless you want to use up cooperation capital). Make up a phony nameplate; ham it up. Ima Lender?
  
• If you're into role playing, put together a skit where a lender with files stacked up on his desk excuses himself mid-interview to tend to a personal matter, leaving an applicant free to glance at the files.

Thanks everyone. Great ideas!!