Creating a Cybersecurity Awareness Culture at Financial Institutions

Angela Gelnaw | August 14, 2018 | tag: Cybersecurity

Banks and other financial institutions have always been burdened with a greater need for security than other industries. In the past, that meant hiring 24/7 guards and locking cash away in reinforced bank vaults. Today, it means having best-in-class cybersecurity teams and state-of-the-art detection and response technology.

However, when it comes to preventing data breaches, having the best cybersecurity experts and the fanciest tech isn’t always enough. Here’s how the FDIC puts it in their Framework for Cybersecurity:

“Even the best-designed security controls cannot fully protect a financial institution from one uninformed employee, contractor, or customer who unwittingly visits a malicious Web site, opens a malicious email attachment, or clicks on a malicious email link. Effective cybersecurity awareness programs should educate employees, contractors, and customers about the threat environment and encourage them to “Think Before You Click.”

Here are some steps security leaders at financial institutions can take to create a cybersecurity awareness culture at their organization:

Understand the Risks

According to Verizon’s 2018 Data Breach Investigations Report, Trojan botnets and denial of service attacks are by far the most common action varieties in financial industry data breaches. However, once these incidents are accounted for, phishing is a factor in many of the remaining cases. Email is still the method of choice for phishing attacks, playing a role in 96% of reported incidents.

[Get Free Ebook: The Secret to Creating a Cyber Risk-Aware Organization]

For financial institutions, employee behavior while interacting with email is a major risk factor for cyber attacks and data breaches. Creating a cybersecurity awareness culture requires training employees to be more vigilant while using technology, especially when working with email.

Go Beyond Training

Security awareness training is an increasingly popular service, and most financial institutions require their employees to undergo some kind of awareness training. However, training alone isn’t enough to truly create a cybersecurity awareness culture.

Whether it’s conducted in seminars, meetings, or online, security awareness training is typically focused on increasing the knowledge of employees. It might teach them about the consequences of falling prey to a phishing attack, or methods for spotting suspicious emails. However, this information is likely to fall on deaf ears if an organization does not also foster feelings of responsibility and accountability for cybersecurity among employees.

So, how does a security leader go about creating feelings of responsibility and accountability? It starts with being able to show results.

Because success in cybersecurity is proven by a lack of negative results, it’s difficult for employees to feel connected to outcomes in the same way they are in other business areas. Without quantitative evidence of the results of their actions or non-actions, there will inevitably be a loss of motivation, no matter how much training they undergo.

Measure Cybersecurity Performance

Luckily, there are ways to measure user awareness performance.

Many security training providers and consulting firms provide simulated phishing services. When an organization engages with these services, the provider sends false emails to employees in order to gauge how many users would be likely to fall victim to a real attack. The results can then be used to assess the effectiveness of security awareness training and motivate employees to improve.

Security ratings, like those offered by BitSight, provide quantitative metrics of performance in key areas of cybersecurity, including:

  • File Sharing and User Behavior Risk
  • Disclosed Credentials
  • Malware Servers
  • Botnet Infections
  • Patching Cadence and Outdated Software
  • Public Disclosures

These ratings are updated daily, and are calculated based on externally observable informationmeaning they can be accessed for any organization, not just one’s own.

By identifying the risk vectors that are directly or indirectly related to user awareness, security leaders at financial institutions can use security ratings to keep tabs on the level of cybersecurity awareness among their employees.

Gamification: Benchmarking for Motivation

Equipped with a continuous, quantitative picture of cybersecurity awareness performance, security leaders can get creative with methods for motivating employees to stay vigilant.

Because security ratings are externally observable, they can be easily compared to other business units, competitors, or even the industry average. By showing employees how their collective performance stacks up against, say, their biggest competitor, security leaders can motivate users to do better.

In addition, security ratings can be used to measure historical performance. By looking at how today’s metrics compare to metrics from six months ago, security leaders can identify whether cybersecurity awareness has increased, decreased, or stayed the same. This data can be used to motivate employees, and can also be leveraged to determine the ideal frequency for security awareness training and to determine which training methods are most effective.

This is just a brief summary of how financial institutions can create a cybersecurity awareness culture. For a deep dive into the subject, check out our ebook The Secret to Creating a Cyber Risk-Aware Organization.

Discover the secret to creating a cyber risk-aware organization. Download Ebook.
New Call-to-action

Suggested Posts

More Network Security Monitoring Tools Doesn’t Mean More Visibility

Network security monitoring tools are a critical component of any IT security toolkit. These resources monitor and manage your network for cyber risk by scanning your organization’s digital assets for security vulnerabilities and...


Third Party Services: The Cyber Risk They Pose and How to Protect Your Organization

To serve your customers and realize efficiencies, your organization may work with dozens if not hundreds of third parties including partners, vendors, cloud service providers, and subcontractors. 

But digital ties with these providers...


What is Network Segmentation Cyber Security and is it Right for You?

These days, we often hear the word “quarantine” in everyday conversations--but quarantining takes on a different meaning when it comes to protecting your network. 

Often, when we discuss quarantining from a cyber security perspective...


Get the Weekly Cybersecurity Newsletter.