By Mark Brown, Founder Psybersafe
In the world of banking and finance, security is always the number one priority. But however secure your work systems are, you can never be completely sure that your employees are following the rules, particularly if you have implemented remote working or you have a workforce that travels and uses mobile devices. It doesn’t matter if you are a global bank or a family-owned accountancy firm you are still at risk. In fact 90% of cyber security breaches are caused as a result of human error, so education and training are as important as firewall and cyber security technology.
You spend a lot of money safeguarding your and your clients’ data. Most of that spend goes on technical defences. Business Insurance, Risk and Management consultancy Gallagher suggests organisations should be spending 4% of their revenue on IT, including cyber security. Specifically, it says:
“It is worth mentioning … that the majority of breaches are caused by failures on the part of people and processes. So it is just as much about training and awareness, as it is about the latest technical solutions. Cybersecurity is not simply an ‘add-on’ for your business, it needs to run through your operations, and be embedded in your processes and culture.”
This training often tends to be neglected in the banking and finance sector. For smaller firms, it’s often an afterthought, and for large firms, it’s seen as a box-ticking exercise rather than an important cog in the cyber security wheel.
A seminar a couple of times a year, where your people are required to sit through a few hours of presentation slides, however amusing, will unfortunately have little long term effect on how individuals behave on a day to day basis.
This is because our memories are not as reliable as we would like them to be. German psychologist Hermann Ebbinghaus researched this phenomenon and produced the ‘Forgetting Curve’. There are five important elements to his work on memory:
1. Memories weaken over time
2. The biggest drop in retention happens soon after learning
3. It’s easier to remember things that have meaning
4. The way something is presented affects learning
5. How you feel affects how well you remember
Knowing this, it’s easy to see that unengaging and infrequent cyber training is never going to impact human behaviour. What we need to do is change people’s routines and habits around managing security and data – and ultimately their attitudes towards cyber security. When people are busy, overworked and have a lot on their plate, your cyber training needs to be regular, easy to access, have a purpose and achieve the aim – improving the human line of defence. It needs to be:
• Little and often
• Interesting
• Useful
• Actionable
Measurement is also key, both for the individual and the organisation to know where it might need to adjust. And not just measuring clicks in a phishing campaign. Phishing campaigns, whilst addressing awareness, often don’t address the root cause of why people keep clicking. Whilst recognising a phishing mail because of error features, or strange links is useful, contextually well-crafted email are still likely to trick any employee, so a phishing campaign alone will not solve the issue.
The focus should be on overall cyber hygiene – all related aspects of cyber security behaviour need to be addressed the change people’s behaviour. This requires a programme of training that tackles aspects of behaviour beyond just phishing mails.
And whilst training is key, it is not the only thing for influencing how your staff act. Many subtle signals can support more secure behaviours, but also detract. Management needs to be seen to walk the talk, and back cyber security training and campaigns visibly. And ideally the company uses the environment to its advantage – visual cues to remind people to be careful with data, with who is in the office, and providing easy ways to dispose of confidential data, for example. A clean desk policy can also support a security culture.
Further, certain areas of a financial institution are more at risk – operations areas that can make or authorise payments, privileged account holders who can access systems holding sensitive data, or have access to core processing systems require additional training. And this is where training has to be adaptable to suit the audience.
Keeping cybersecurity front of mind
Make sure you have regular communication with your team about cybersecurity and regular training updates. Have a message that pops up every time someone logs into your system, for example. Use communications to reinforce the message – everything from daily team meetings to weekly all-business emails. Make sure people get into the habit of checking everything and assuming nothing.
Even in their personal lives, your employees need to be careful about oversharing data that might compromise them.
Interacting online is part of day-to-day life for a majority of the population. As a responsible employer, it is your duty to remind them to practice good digital citizenship and that includes:
• Making sure that they remember to create strong passwords for every account they have on social media or elsewhere. A good password is at least 15 characters, with a mix of letters, numbers and special characters. Get them to use a password vault app to keep their passwords secure.
• Ensuring that they are clear that they can’t share any personal details – in posts or in images. That includes names, address, postcode, school, workplace, date of birth, phone number or contact details.
• Not clicking on links in a text, message or email even if it looks like it is from a friend or colleague – this is how phishing campaigns steal information. Instead, go through your browser or app directly to check if the link is real.
• Keeping your devices locked – even when you’re carrying your phone round with you, make sure it’s locked. If you leave it open, it can take just seconds to steal your information.
Hacking is here to stay
Hackers make lots of money from their scams, and that means that they are unlikely to stop any time soon. It is therefore up to your organisation to make sure that you give your people the correct training and environment they need to recognise the signs of a scam, and have the tools and behaviours that can protect their data and the data in your organisation.
At the top of this article, we said that 90% of successful cyberattacks are the result of human error. Now is the time to make sure your people are trained to be aware of the risks, know how to mitigate them and engage in the positive behaviours that protect themselves and your organisation in the long term.
