Training Top 125 Best Practice: Information Protection at BB&T Corporation
The environment in which financial institutions currently do business creates a strong need for information security training. At financial services holding company BB&T Corporation, senior leadership recognizes the importance of information security and consistently helps to ensure it stays a top priority for all associates. As such, information security training encompasses the entire organization—all 37,000-plus associates are required to be trained on information protection annually, which is accomplished via an online course, on-demand training resources, and phishing e-mail simulations.
The program aims to:
- Optimize the risk management framework with greater emphasis on efficiency and effectiveness of controls. This program’s goal is directly related to managing risk within BB&T and empowering each associate to take ownership of managing risk within his or her role.
- Decrease phishing rates by 5 percent or more from the beginning of 2018.
- Double the industry average phishing reporting ratio of approximately 17 percent.
BB&T’s Information Protection online course helps associates understand their responsibilities pertaining to the legal and regulatory requirements to protect information. The course uses interactive scenarios to illustrate Secure Desk Standards, Information Classification, Information Disposal and Destruction procedures, Records Management, e-mail and Internet usage policies, and Acceptable Use Standards. This course also covers Phishing, which is a social engineering tactic whereby the criminal tricks an individual into divulging information or allowing access by posing as a trusted entity.
A library of on-demand learning opportunities available for all associates on a SharePoint site includes videos, Quick Reference Guides, and newsletters that help associates navigate through the Information Security Website. The Website receives 12,000 hits per month and brings current issues to light.
To help associates recognize what phishing e-mail scams may look like, BB&T randomly sends e-mails that simulate a real phishing attempt to associates. Associates who repeatedly respond in the incorrect manner by clicking a link to a phish testing simulation are assigned a mandatory phishing training course that provides additional education on how to identify and react to phishing scams.
BB&T also uses phone scam simulations to give associates a realistic experience of what types of high-pressure situations they may encounter when a scammer calls. By interacting with a caller and experiencing deceptive practices, associates remember what it feels like to speak with a person in that situation, and adjust their behavior to ensure client information is protected.
The 2018 Cost of Data Breach Study: Global Overview by IBM Security and Ponemon Institute found that the average cost of a successful data breach (which results from phishing attacks) is $3.8 million. BB&T’s training techniques have resulted in a decrease in phishing rates of 11.2 percent from the beginning of 2018 to 3.8 percent at the end of 2018.
BB&T also regularly maintains a strong 50 percent reporting ratio for phishing simulations, meaning half of all simulations are reported to the Information Security suspicious e-mail box. This reporting ratio is nearly triple the 2018 industry average of 17 percent.