Security Awareness Training is a method of cyber threat prevention that financial service companies can benefit from. Here is an exploration of the main reasons to use this form of training if you are a financial services organisation.
Financial Services as a sector has seen a massive digital transformation in recent years. The sector is embracing new technologies to ensure better customer experiences and optimise operations.
However, digital transformation has meant the sector has also become a target for cybercriminals: a 2020 cyber security survey of CISOs and CIOs in the financial services sector, found that 65% of large financial organisations had suffered a cyber attack in the previous 12-months. Another report, this time from Boston Consulting, found that the financial sector experienced up to 300 times as many cyber attacks as other sectors.
Security Awareness Training for Financial Services
The hacker no longer resides in their parents’ basement wearing a hoodie. Instead, sophisticated, financially motivated, sometimes state-sponsored, hacking gangs are making cybercrime accessible for all.
Business models that provide hacking tools-as-a-Service are easily and cheaply available on the dark web. These tools, coupled with the increasingly honed social engineering skills of cybercriminals, have led to a tsunami of cyber attacks. Add to this mix remote or home working and you can see that the cyber threat planets are aligned.
Covid-19 has been an eye-opener for organisations around the world as scams that took advantage of the fear surrounding the pandemic, proliferated. Scams that focused on employees, used phishing tricks based on Covid-19 themes to steal login credentials or personal data or to get an employee to install malicious software (including ransomware). As the landscape of work changes, phishing tactics and social engineering remains a key choice of cybercriminals intent on harm.
The results of social engineering and phishing are costly. A 2021 report from Sophos found that mid-sized financial service companies spend around $2 million to recover from a ransomware attack; this is more than the global average of $1.85 million. The report also highlights that 34% of financial service organisations suffered a ransomware attack in 2020.
Security Awareness Training is an effective response to the social engineering used by hackers.
Benefits of Security Awareness Training for Financial Services
To prevent cybercriminals from taking advantage of employees using social engineering techniques and phishing, firms can turn to Security Awareness Training. In financial services there are five key benefits of engaging in an awareness program:
Change Security Behaviour from Negative to Positive
Fraudsters, cybercriminals, scammers, whatever the name used to describe these nefarious activities, all focus on human behaviour. Security awareness is used to change poor security behaviour to create a positive approach to company safety.
Building positive security behaviour educates staff about the dangers of social engineering. Awareness training also explores the mistakes that can lead to data exposure: this is important when you consider that findings from the EC-Council show that 64% of data loss events are attributed to insiders who “meant well”.
Security Awareness Training teaches employees across the entire organisation about the importance of security. An effective training package will educate staff using interactive and engaging content on security tricks and scams as well as providing phishing simulation exercises that teach employees how to spot phishing messages. Ongoing, effective Security Awareness Training creates a positive feedback loop, encouraging staff to deal with security attacks.
Stops BEC Scammers in their Tracks
Ransomware may make big news headlines, but Business Email Compromise (BEC) affects more companies. The 2020 FBI Internet Crime Complaint Center (IC3) shows BEC affects 4X as many companies as ransomware. Financial services companies are at risk of BEC fraud as much as any organisation.
A 2020 expose from BankInfoSecurity, detailed several BEC fraud accounts, including one involving a US-based bank. At this bank, an employee received an email from fraudsters masquerading as the bank’s CEO. The email asked the employee to urgently send a previously scheduled transfer of $1 million. The message included a change of account details specifying that this was “due to the coronavirus outbreak and quarantine processes and precautions.”
BEC scams often involve complex surveillance of employees. Fraudsters even go as far as to build relationships with help desk operators and others in relevant departments, to find out information on company processes. Security Awareness Training teaches employees about the signs of BEC scams and the types of social engineering tricks used by scammers.
Helps to Ensure Regulatory Compliance
Employees are an integral part of maintaining data protection and privacy. Their actions can easily move a financial services organisation into the area of non-compliance. Something as simple as an email misdirection can result in a fine. A recent survey found that 58% of employees admitted to sending an email to the wrong person.
Security Awareness Training helps prevent employees from making mistakes. Having an effective program in place that offers metrics and training automation also demonstrates a company’s commitment to security. Having Security Awareness Training in place is either mandatory or strongly encouraged by a variety of standards and regulations including ISO27001 and PCI-DSS, which contains the following under Requirement 12:
“Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.”
Build a Human Firewall
Security measures such as robust access control, firewalls, endpoint protection, and encryption are important, but social engineering is designed to pass traditional security solutions. Knowledgeable and security confident employees are a vital part of the cyber security measures of a financial services firm.
By using Security Awareness Training, a company can build a ‘human firewall’. Each member of a team across the organisation then acts to bolster other members of that team. By carrying out regular security training, the human firewall becomes stronger and more effective at spotting social engineering tricks.
Bolster Employee Morale
A Carbonite report shows the impact of a cyber attack on individuals, with 24% of employees experiencing a drop in morale after an attack. Confidence builds staff morale. Security Awareness Training is a people-centric approach to securing an organisation’s assets. By giving employees the tools to help fight cybercrime an organisation is empowering its staff to prevent a cyber attack. Security Awareness Training helps not only keeps the organisation safe but helps with staff morale.
Financial service organisations the world over are a prime target for cybercriminals and fraudsters. Having an educated staff is part of a wider 360-degree view of securing a company from the ravages of these malicious and sinister attacks.