For many, their natural defence mechanism is to deploy new technology and work on creating better processes. Unfortunately, what most fail to recognise is that it’s actually their people that are often the weakest link in the cyber security chain.
Let’s face it, most people only really care about cyber security when they are a victim of an attack. And by then it can be too little, too late. The good news is there are fresh options to improve cyber awareness and improve the culture of the organisation.
Australian financial services firms have new APRA requirements coming into force later this year, which will tighten controls with regard to mandatory data breach disclosure. However, legislation alone shouldn’t be prompting organisations to take action.
Customers of banking and finance services are becoming increasingly aware of, and concerned about, the security of their personal and financial data. If they don’t have trust in the security of their information, they will go to next provider at drop of a hat.
The cultural change opportunity
There is a good opportunity for finance industry leaders to rethink their approach to cyber education and build that into the culture of the organisation. Cyber education is not something people should do every 12 months with a few questions, it needs to be continuously reinforced.
There are three pieces to cyber security resilience: people, process and technology. For the past 12 to 24 months there has been a big focus on processes and technology, but unfortunately people still click on things they shouldn’t.
With people still the weakest link in the cyber chain, the conversation needs to be non-technical and presented to business at all levels.
Australian financial services firms are at risk so the cultural conversation must take place from the employee at the front desk right through to the board, who can fall foul of the law when it comes to Europe’s General Data Protection Regulation (GDPR) and our Notifiable Data Breaches (NDB) scheme regulations.
With cyber security still considered a non-concern by many people, an all-in approach is needed, which can only be achieved by changing the organisation’s culture.
Raising the profile of cyber awareness
If security isn’t top of mind for most people, let’s look at a few ways to improve awareness and hence bolster resilience.
- Start by giving people an education tool, which covers good practices for passwords and phishing, and allows them to consume it at any time. And make sure they do refresher sessions on a regular basis, not just once a year. Aura has its own training tool called CyberWise, an online training module that covers the basics of cyber security as well as practical real-world examples of what common attack techniques look like.
- Complement that with visual signs such as posters around the offices to get people talking about the importance of cyber security.
- An underutilised resource for cyber education is gamification. An online gamification approach to security makes cyber more social and adds to the visual reinforcement around the office to constantly remind staff that this thing is real.
- The tried and tested workshop can also be good for communicating to senior management. But make sure you put war stories in front of them. General staff need some gamification and app-driven approach to make the experience fun, as opposed to going into a room, listening to presentations and then working out where to from there.
- This may be simple, but put cyber security on the agenda. Every senior management or board meeting should at the very least address the topic of security and what is being done to ensure the organisation, and its people, are aware of the risk.
Keeping up with the dos and don’ts
With the right tools and awareness the culture of an organisation will change, but to maintain a good standing – and keep up with evolving threats – it’s important to develop a process for monitoring and managing your cyber health.
As the old saying goes, if you can’t measure it, you can’t manage it, so do some testing such as simulating a cyber attack and review how it was handled and make appropriate changes if need be.
For example, by simulating phishing attack to users before and after the deployment of a cyber education platform you can measure a drop in the success of the fake scam. In my experience larger organisations understand this, but SMEs are still struggling due to lack of budgets or general security discussions.
Getting stakeholders from the business to review what’s happening in cyber and coming up with ideas to improve education and culture takes time, but making the environment “fun” does a direct effect on people’s willingness to learn.
In another good example, a large enterprise highlighted to its staff who among them had done well in cyber matters in an email newsletter. Proactive rewards and recognition are good and your fresh approach should be rewarding and more “carrot than stick”.
You can measure staff participation for a learning management system and this should be done as part of an ongoing program. Also, make sure this information gets pushed out to the wider business.
It is possible to get good culture into other areas of the organisation; however, the owners must share success stories. Making sure the benefits are seen all across the business is imperative – there is no point having two organisational units with lax security as the bad guys can get in there too.
With new tools and a fresh approach, cyber security awareness should be easy to use, customised and deliver the ability to move education to front-and-centre of people’s working life.
Thanks to recent high-profile data breaches, consumers are becoming increasingly aware of how their personal data is stored and protected. This presents an excellent opportunity for financial services firms to actively promote what they do in regards to cyber security, which is now pertinent to their success.
Michael Warnock, Australia country manager, Aura Information Security
