Nick Horak, Energy One Federal Credit Union; Sarah Hrabal, American Airlines Credit Union; and Robert Eckhart, GECU.

Security awareness on a budget

'Employees have to know this is one of the most important things to focus on.'

September 22, 2022

Presentations to new employees, awareness campaigns, and security scavenger hunts are some low-cost ways to improve employees’ information security awareness, according to a panel of credit union security leaders who addressed the 2022 CUNA Operations & Member Experience Council and CUNA Technology Council Conference Wednesday in Las Vegas. 

Moderated by Mark Reed, senior vice president/technology at American Airlines Credit Union in Fort Worth, Texas, the panel featured: 

  • Sarah Hrabal, information security analyst at American Airlines Credit Union. 
  • Robert Eckhart, vice president, information security, at GECU in El Paso, Texas. 
  • Nick Horak, vice president of information technology at Energy One Federal Credit Union in Tulsa, Okla. 

Horak spends about two hours at each new employee orientation training new hires on information security best practices, phishing prevention, password management, security practices at their previous jobs, and more. 

“We make sure they know how to use the tools we give them,” he says. 

During each new employee’s “day of discovery,” or orientation, American Airlines relates security lessons to staff’s home life, including how to manage their children’s internet use and manage their passwords. 

“We teach them to be safe at home, and they bring that to the office,” Hrabal says. “Security awareness is about getting people to change their behavior in the office.” 

“People get tired of hearing, ‘don’t click,’” Reed adds. 

The credit union celebrates Cybersecurity Awareness Month each October with contests, prizes, food trucks, and other events to boost employee awareness, buy in, and engagement. 

It also holds security scavenger hunts, where employees search for security information and answer questions, earning gift cards and other prizes in the process. 

“We’ve made security part of our culture,” Reed says. “These efforts drive discussion and awareness.” 

GECU also focuses on security training, incorporating gamification and prizes, Eckhart says, in addition to a newsletter on its intranet. 

“We reward people who report phishing emails,” he says, which includes providing recognition to staff’s manager. 

On the contrary, repeated security lapses result in extra training and the prospect of disciplinary action.  

“Employees have to know this is one of the most important things to focus on,” Reed says. “It’s part of their daily job.” 

This article is part of  Tech22, CUNA News’ special focus on innovations and developments in technology. Follow the conversation on Twitter via #Tech22.