Creating a Cybersecurity Awareness Culture at Financial Institutions

Creating a Cybersecurity Awareness Culture at Financial Institutions
Written by Angela Gelnaw
Director, Ecosystem Strategy

Banks and other financial institutions have always been burdened with a greater need for security than other industries. In the past, that meant hiring 24/7 guards and locking cash away in reinforced bank vaults. Today, it means having best-in-class cybersecurity teams and state-of-the-art detection and response technology.

However, when it comes to preventing data breaches, having the best cybersecurity experts and the fanciest tech isn’t always enough. Here’s how the FDIC puts it in their Framework for Cybersecurity:

“Even the best-designed security controls cannot fully protect a financial institution from one uninformed employee, contractor, or customer who unwittingly visits a malicious Web site, opens a malicious email attachment, or clicks on a malicious email link. Effective cybersecurity awareness programs should educate employees, contractors, and customers about the threat environment and encourage them to “Think Before You Click.”

Here are some steps security leaders at financial institutions can take to create a cybersecurity awareness culture at their organization:

Understand the Risks

According to Verizon’s 2018 Data Breach Investigations Report, Trojan botnets and denial of service attacks are by far the most common action varieties in financial industry data breaches. However, once these incidents are accounted for, phishing is a factor in many of the remaining cases. Email is still the method of choice for phishing attacks, playing a role in 96% of reported incidents.

[Get Free Ebook: The Secret to Creating a Cyber Risk-Aware Organization]

For financial institutions, employee behavior while interacting with email is a major risk factor for cyber attacks and data breaches. Creating a cybersecurity awareness culture requires training employees to be more vigilant while using technology, especially when working with email.

Go Beyond Training

Security awareness training is an increasingly popular service, and most financial institutions require their employees to undergo some kind of awareness training. However, training alone isn’t enough to truly create a cybersecurity awareness culture.

Whether it’s conducted in seminars, meetings, or online, security awareness training is typically focused on increasing the knowledge of employees. It might teach them about the consequences of falling prey to a phishing attack, or methods for spotting suspicious emails. However, this information is likely to fall on deaf ears if an organization does not also foster feelings of responsibility and accountability for cybersecurity among employees.

So, how does a security leader go about creating feelings of responsibility and accountability? It starts with being able to show results.

Because success in cybersecurity is proven by a lack of negative results, it’s difficult for employees to feel connected to outcomes in the same way they are in other business areas. Without quantitative evidence of the results of their actions or non-actions, there will inevitably be a loss of motivation, no matter how much training they undergo.

secrets to a cyber aware organization ebook

Creating a cyber risk aware culture requires awareness at your company in which every employee takes responsibility for cybersecurity. Get the tips to make this easier.

Measure Cybersecurity Performance

Luckily, there are ways to measure user awareness performance.

Many security training providers and consulting firms provide simulated phishing services. When an organization engages with these services, the provider sends false emails to employees in order to gauge how many users would be likely to fall victim to a real attack. The results can then be used to assess the effectiveness of security awareness training and motivate employees to improve.

Security ratings, like those offered by Bitsight, provide quantitative metrics of performance in key areas of cybersecurity, including:

  • File Sharing and User Behavior Risk
  • Disclosed Credentials
  • Malware Servers
  • Botnet Infections
  • Patching Cadence and Outdated Software
  • Public Disclosures

These ratings are updated daily, and are calculated based on externally observable information, meaning they can be accessed for any organization, not just one’s own.

By identifying the risk vectors that are directly or indirectly related to user awareness, security leaders at financial institutions can use security ratings to keep tabs on the level of cybersecurity awareness among their employees.

Gamification: Benchmarking for Motivation

Equipped with a continuous, quantitative picture of cybersecurity awareness performance, security leaders can get creative with methods for motivating employees to stay vigilant.

Because security ratings are externally observable, they can be easily compared to other business units, competitors, or even the industry average. By showing employees how their collective performance stacks up against, say, their biggest competitor, security leaders can motivate users to do better.

In addition, security ratings can be used to measure historical performance. By looking at how today’s metrics compare to metrics from six months ago, security leaders can identify whether cybersecurity awareness has increased, decreased, or stayed the same. This data can be used to motivate employees, and can also be leveraged to determine the ideal frequency for security awareness training and to determine which training methods are most effective.

This is just a brief summary of how financial institutions can create a cybersecurity awareness culture. For a deep dive into the subject, check out our ebook The Secret to Creating a Cyber Risk-Aware Organization.