To celebrate International Information Security Day, which will take place on November 30th, BBVA is dedicating the week to raising awareness of the risks in the digital world. In this interview, Ana Gómez Blanco, Head of Culture in Cybersecurity at BBVA, explains how initiatives like this are a fundamental component of corporate security and the key to helping employees and their families make their habits “cybersafe”.
Question (Q): The cybersecurity world is advancing very quickly, and existing measures are able to stop many technical threats. However, most problems stem from improper use of technologies by users. How would you summarize your experience raising awareness in a large company like BBVA?
Answer (A): The truth is in a company like this, every day is a challenge. As technology advances, so do the threats. Cybercriminals use more sophisticated techniques and carry out more complex attacks. We constantly remain up to date in order to be prepared to address possible threats.
Raising awareness among employees is one of the pillars of cybersecurity at BBVA and we focus on continuous learning and training. Thanks to management’s involvement, the experience we have at the bank is very positive, as we have highly qualified staff and a high level of commitment across different levels. We have also managed to express the importance of information security to people, and that has paved the way for us to do our job.
"The biggest challenge is ensuring that employees understand that information is the most important asset and it is our duty to protect it"
Q: Based on your extensive experience in the sector, what do you think are the biggest challenges when it comes to raising awareness?
A: In a company like BBVA, which manages a vast amount of information with varying levels of confidentiality belonging to the company and to customers, the biggest challenge is ensuring that employees - as the most important link in the security chain - understand that information is the most important asset and it is our duty to protect it.
Employees need to be trained so that they act accordingly in professional and personal contexts. And that is where we encounter one of the biggest challenges: for employees to adopt best practices in cybersecurity for personal matters and internalize them, so that it isn’t hard to apply them at work.
It’s important to understand the the technical security measures adopted by the bank - for example the use of firewalls, antivirus, etc. - must be accompanied by good behaviors, as protection must be comprehensive.
Q: One of the most common stereotypes is thinking that the more responsibility an employee has, the less time he or she can spend on training. However, the threats exist across all levels of a company. How do you raise awareness among directors?
A: With the increase in cyberattacks at large companies in some places in the world, I think this group is aware of the risks that come from information being compromised at different levels - reputational, financial…. so they are more aware and are placing more importance on the areas in charge of this protection. At BBVA, cybersecurity has been one of the pillars of the company for some time now.
There is a great cybersecurity culture at the bank at different levels and a high degree of involvement with the area, which allows us to carry out our awareness campaigns and training activities designed to help employees improve in this subject on a daily basis. The training and commitment of the entire workforce is fundamental to avoid incidents.
"Events are organized throughout the year that cover security at work and in personal contexts"
Q: Despite the efforts of many companies and public bodies to raise users’ awareness of security and the proper use of electronic devices and the Internet, cybercrime indicators continue to show a notable increase. What would you say are the biggest threats for a company like BBVA?
A: Currently, I would say that we are all exposed to the same threats on a technological level - both large and small companies and in our personal lives. In other words, our information - both personal and corporate - is our greatest asset and that’s why criminals are always lurking to try to steal our credentials through different angles of attack.
We receive a large volume of emails and notifications from messaging applications and we don’t often stop to see who the sender is, if a link or file is attached, if it’s legitimate or if we were expecting it. This is one of the simplest ways cybercriminals have to access our devices.
Q: The words threat, awareness and cybersecurity can often seem unfamiliar. Could you give us an example of specific activities you do in your everyday work?
A: All the actions carried out from the awareness area are extended across the entire group in the different locations. That’s why we are focusing our efforts on creating content that is relevant to all employees. We are able to do so, above all, thanks to the creation of graphic materials (infographics, posts, etc.) and employee guides.
In addition, through the online training campus, all employees are offered online courses on security protection (how to create passwords, how to use cloud services, etc.).
In-person courses are also offered where specific issues are discussed that could be useful and applicable to employees’ lives, adapted to the needs of each geographic location. We have selected companies specialized in this field to collaborate with us on this.
Along these lines, one of the most successful activities is the Family Cybersecurity Workshop for employees, who attend with their children. There are discussions for parents and other activities designed to teach children the risks of the Internet and how to protect themselves.
Q: Finally, we would like to draw attention to the 360º awareness that BBVA offers employees and their families on the subject of cybersecurity. How important do you feel the many events held throughout the year are? International Information Security Day, for example?
A: At BBVA we feel that the behaviors of employees and their families are a fundamental pillar of the company’s security. That’s why events are organized throughout the year that cover security at work and in personal contexts.
One clear example is the week organized around International Information Security Day at BBVA. These days we are enjoying chats and workshops that cover topics like Internet behaviors, the digital footprint, information protection and robust passwords. This week packed with employee training will culminate on Saturday with over 1,400 people in attendance - young and old - where every age group will be able to enjoy training sessions in line with their needs.