Reinforcing employee cyber risk awareness is as critical to the maturity of your program as the products in your cyber tool set.
By Steve Soukup
Artificial intelligence and other advanced technologies have become critical components of modern financial services, enabling banks to competitively deliver more efficient and personalized services. As digital interactions continue to grow, so does the importance of cybersecurity. Any changes implemented in business operations create exposure to new risks and vulnerabilities, so banks are investing heavily in cyber risk management solutions.
But many banks have substantial, often unseen gaps in their cybersecurity defenses: Their employees.
With even the most powerful cybersecurity solutions in place, a simple mistake can suddenly cause considerable monetary loss, reputational damage and disruption of business continuity. Due to unique challenges, strict regulatory requirements and valuable protected assets, banks make a resolute effort in cyber risk management by investing in the best security products and monitoring support. Many banks also eagerly follow the most current and important recommendations to implement a proactive plan to detect, prevent, and mitigate cyberattacks. Banks are ready for the war against cybercrime. And then, one of the C-level executives who has been specifically targeted mistakenly clicks on a phish. Cue data breach: Assets are at risk. Sensitive client information has been compromised. And this cyberattack was 100 percent preventable.
Security Today reports: “A joint study by Stanford University Professor Jeff Hancock and security firm Tessian has found that a whopping 88 percent of data breach incidents are caused by employee mistakes. Similar research by IBM Security puts the number at 95 percent.”
You have secured your house, purchased the strongest locks, installed the latest home security system … and then you leave a window open. Reinforcing employee cyber risk awareness and education is as critical to the maturity of your program as the products in your cyber tool set. To prevent avoidable and costly mistakes, it is important to understand why they happen in the first place so your employees stay “smart” in the face of cybercrime.
Problematic behavior
Some of the most destructive cyber-attacks have happened due to a simple lack of cyber risk awareness. Are your employees opening emails on their phones and just clicking away without looking for signs of a phish? Are they leaving their laptops unlocked and unattended to stand and wait for their orders at the local coffee shop? Have they used the same passwords across several accounts? But the most important question is: Do they KNOW that these actions make them vulnerable?
Another challenge associated with cybersecurity awareness is outright distraction. Employees are running busy constantly, opening messages on the go and juggling multiple tasks at once. We know there are risks. BUT are we paying attention?
Consider this incident: You’re hurrying to shut down for the day to get to your kid’s soccer game on time when an email pops up in your inbox. It’s from your CEO with the subject line: “Explain these numbers.” Your heart practically stops. What numbers?
The clock is ticking to get to that game, so you immediately open it. You barely read through the email before opening the attachment. You’ve fallen for it: CEO spoof. If you had taken a minute, you would have realized that the email says your CEO’s name, but the address is from an outside entity. If you had read through carefully, you would have seen that the message has slightly broken English, and the closing sounds odd. You’ve been duped. It happens. But how often?
Have all employees been trained to understand the importance of operating in a constant state of vigilance? Or are they so distracted that they just simply forget? Best practices for cybersecurity awareness include continuous education and training. Try these effective strategies to keep your employees “smart” about cyber risk:
- Include cybersecurity training during the onboarding of new employees.
- Provide ongoing training to identify questionable links, emails or other possible threats.
- Teach proper protocol to create strong passwords, handle sensitive information and use technology responsibly.
- Train all employees. When we say train all employees, this means ALL. From the interns to the c-level executives.
- Provide regular simulations for employees to practice and learn how to identify harmful links or suspicious communications. Simulated phishing exercises can help your employees master how to distinguish between a possible threat and genuine communication.
- Motivate, remind and empower. Implement cyber awareness campaigns with memorable slogans that can be used internally. Use catchy reminders such as: “Think before you click,” or “One click is all it takes.”
A DefenseStorm’s client motivates employees to pause and think about cybersecurity by using two monthly raffles. Employees are entered into the first raffle when they successfully identify a campaign phish and submitted for the second raffle if they identify a real phish. Using motivational tools and incentives creates opportunities for positive reinforcement so employees remember to stay alert.
Don’t forget your cybersecurity personnel
Even the most technologically savvy employees can make mistakes and create vulnerabilities in your cyber defenses. Burnout, gap in talent, waning skills and complacency among internal cybersecurity teams are the cause of significant vulnerabilities in your cyber defenses, exposing your bank to increased risk. How are your internal cybersecurity personnel managing? Is your executive team actively supporting one of your most essential departments?
Banks report major burnout because the number of cyber events can be overwhelming. The demands to scrutinize the constant flood of cyber events cannot be managed by outdated manual processes and understaffed teams. When employees are overloaded, mistakes happen. Consider these strategies to alleviate burnout:
- Ensure your internal cybersecurity team receives active support from the executive team.
- Leverage AI technology for threat detection and prevention.
- Partner with a cyber risk management provider to co-manage your monitoring.
- Stop using manual processes and utilize automation to aggregate data and create reports to satisfy regulatory requirements.
Another concern is that internal security operations center tasks become redundant for individuals. Boredom fuels complacency, which in turn, spawns errors and oversights. Solutions to these problems include cycling employees through different roles and providing learning opportunities with new technology for analysts. Equally promising is the suggestion to create partnerships between base analysts and incident responders, ultimately providing advancement of skills. While your security operations center team members are continuously improving and learning, they stay current and prepared.
Keep your team alert and motivated by strengthening skills with maturity mapping to evaluate your internal team’s capability and preparedness. Maturity mapping models are defined by The Federal Financial Institutions Examination Council (FFIEC) as “an evaluation across five domains: cyber risk management and oversight, threat intelligence and collaboration, cybersecurity controls, external dependency management and cyber incident management and resilience. Each domain has five levels of maturity: baseline, evolving, intermediate, advanced and innovative.” Running through simulated exercises and evaluations gives insight into your institution’s performance and readiness in the face of emerging cyber threats. Understanding your internal team’s response, resilience and recovery abilities allows for setting goals, benchmarks and performance expectations.
Stay alert and informed
Staying up-to-date and informed to prepare for emerging threats is an important part of your bank’s cyber risk management strategy. Always share and distribute important news and alerts to employees.
With the increasing sophistication of cyber threats, cybersecurity is a top priority for banks, but it is just not sufficient enough to invest in technology and monitoring support alone to maintain an effective level of cyber risk readiness. To keep your bankers smart and savvy about cybersecurity, foster a culture of vigilant cyber risk awareness, nurture your cybersecurity teams and implement comprehensive training programs. Ultimately, empowering and equipping employees with the knowledge and tools to recognize and stop cyber threats is the key to maintaining a strong and resilient cyber risk management solution, so your bank can outsmart threat actors.
Steve Soukup is CEO of DefenseStorm.
