Preventing Internal Data Breaches: Best Practices for Employee Screening, Training and Testing

Data breaches are becoming an increasing threat to organizations in all industries – especially those in financial services. Financial institutions such as credit unions are at particular risk of incidents and cyber crime, with a recent study by Pindrop revealing that credit union fraud rates increased by more than 70% last year. However, it’s not just third-party threat actors that pose a risk to these institutions. According to Verizon’s 2022 Data Breach Investigations Report, 82% of data breeches last year involved human error on behalf of an internal employee.  

As a result, building a cyber-resilient workforce is essential to mitigating the increasing fraud risks against credit unions. Whether it is through active fraudulent behavior, such as the use of stolen credentials, a misunderstanding of an organization’s cybersecurity policies resulting in employees falling prey to phishing scams, or through simple error, employees play a large role in security incidents and data breaches. While it will be impossible to mitigate risk altogether, financial institutions can take significant steps to create a more cyber-resilient workforce. Here are recommended best practices for employee screening, training and testing to help deter employee-related security incidents:


A good first line of defense against employee-related incidents and breaches within your institution is employee screening. Employee screening is the process of investigating potential employees to ensure they do not pose a risk to your organization. When screening, it is important to identify the types of information and systems an employee will have access to based on their role. It is also important to consider the impact an employee could have on your institution if they were to pose an insider threat. Criminal background checks and employment history checks are a common method of identifying past behaviors that indicate any fraudulent propensities. Additionally, determining if the candidate was honest about the disclosure of their history can be an indicator of whether the employee is trustworthy or not. Credit screenings, where allowed by law, are another pre-employment check that can be used to identify motives for financial fraud.


Cybersecurity training typically involves educating your staff on topics such as using secure passwords, guarding against phishing scams and knowing what to do in the event of a data breach. Traditionally, security awareness training is conducted for staff upon hire and annually thereafter. While this annual training typically satisfies most legal and regulatory requirements, more frequent training has been shown to be more effective in warding off harmful breaches. In addition to the cadence of training, it is also important for institutions to analyze the effectiveness of training being administered to employees. Training that is interactive and engaging has been shown to be more effective than other educational training formats.


While the importance of proper security training cannot be overstated, it is not enough to simply educate your employees on cybersecurity best practices. Testing your workforce is critical to identifying areas of weakness which can be addressed through targeted educational opportunities designed to strengthen your information security program. One way to do this is through administering email phishing tests. Those who fail the test should then be subjected to additional training to help them better identify dangerous phishing emails in the future. Additionally, those who identify the email as phishing but do not properly report the incident should be instructed how to properly report phishing attempts to protect the organization’s cyber health. Once alerted, IT pros can scrub the email system wide so that others within the institution do not fall for the phishing attempt and put the organization at risk. 

About Author:
Charlie Wood, Executive Vice President for FoxPointe Solutions Information Risk Management Division of The Bonadio Group. Charlie holds many certifications including Certified Information Services Auditor (CISA), PCI Qualified SecurityAssessor (PCI QSA), Certified in Risk and Information Systems Control (CRISC) and Certified InformationSecurity Manager (CISM)

Disclaimer: The summary information presented in this article should not be considered legal advice or counsel and does not create an attorney-client relationship between the author and the reader. If the reader of this has legal questions, it is recommended they consult with their attorney. 

Want to keep reading? This content is for subscribers only.

Login Subscribe