By Oz Alashe, CEO, CybSafe
We’ve all become familiar with the phrase ‘hybrid working’ over the past two years. More than 80% of businesses have adopted the practice, balancing the convenience of remote working and the collaborative benefits of in-person.
Such shifts don’t usually occur overnight. But in the wake of a pandemic, this is what was required. Some businesses had to manage a complete transition to remote working. Others had to navigate a hybrid model with employees moving between home and the office. Financial services were not immune to this rapid change.
Disruption brings challenges, yes. But it also opens up opportunities and the chance to rethink how things are done. Rapid innovation is a common by-product of rapid change.
It has taken the pandemic for organisations to rethink their approach to cyber security and explore new ways of engaging employees to reduce risk. It highlighted the need to prioritise influencing positive security behaviours at all levels.
Blurring the line between compliance and security
If we’re discussing cyber security and financial services, we need to discuss compliance.
It’s easy to fall into the trap of correlating compliance with security. If you are in financial services, you must follow industry regulations. It’s as simple as that. But this doesn’t mean we have to merge compliance and cyber security to the point where the latter becomes more about reporting and ticking boxes rather than influencing positive changes in culture and behaviour.
Financial service organisations should treat compliance like a driving licence. It is necessary, and you need to have completed the training and passed the requisite tests on acquiring one. But having a driving licence does not make you a safe driver. That’s down to your behaviour behind the wheel.
Compliance is a baseline for security professionals in financial services. While it reduces risk, it’s not enough on its own to make organisations secure.
How do you know if it’s working?
Once the scope of the problem is defined, the focus should be on how to reduce cyber risk in the new working world. For that, you need great measurement. Financial services are used to working with data and putting metrics in place. But, when it comes to human cyber risk, we need to ask what these metrics tell us. Are they measuring behaviour? Are they helping define the risk level of an individual? Are they showing change?
Awareness on its own does not always lead to behavioural change. As a security professional, understanding whether your initiatives influence day-to-day employee behaviour is crucial. If we don’t know this, metrics have little use. As hybrid working becomes the norm, analysing the right data will lead to genuine change.
Building a security-first culture
The ultimate goal is to build a security-first culture. Organisations need to be honest with themselves – are they doing enough to create an environment where employees feel they can raise security concerns?
With the blurring of the lines between compliance and security, it is easy for employees to be wary of flagging security issues. The best results come in an environment where employees feel they can be open and honest about security and report incidents without fear of being reprimanded.
Personalisation is crucial in building this culture. One size never “fits all”. Most employees want to act safely, but we have to accept individual differences to achieve this. People respond to threats differently. Lina in accounting might react differently to the call of an “urgent financial issue” to Abid in customer services.
Appreciating the differences in teams means you can deliver tailored security initiatives. The result is greater employee confidence, changes in security behaviour, and lower cyber risk.
The challenge and the opportunity
Hybrid working presents both a challenge and an opportunity for security culture in financial services. The difficulties influencing behaviour remotely have been a hot topic in the security community. But as organisations adapt to the new working world, we have a chance to elevate how we manage risk for every employee.
By building personalised security initiatives into the broader strategy for hybrid working, financial services businesses can empower their people to be the first and best tool in the bid to be cyber secure.
