You can lead a person to security awareness, but you can’t make them think.
With an ever-growing expectation of convenience outpacing their security concerns, financial customers and employees may never achieve what cyber-wonks would like to see in terms of how people protect themselves, their firm and data in general.
“Security awareness training is just that: awareness,” said Chuck Everette, director of cybersecurity advocacy for Deep Instinct, a company that employs artificial intelligence in detecting malware. “It still comes down to the human factor. Are the employees able to absorb the training, let alone apply it on a daily basis?”
As cyber criminals become increasingly sophisticated, even gaining control of email systems with a financial firm, it is becoming more difficult for employees to recognize malicious requests, contents, or emails, Everette pointed out. Banks need to compensate by matching these threats with more advanced phishing training and policing employee risk, he added.
But arguably, depending on the organization, it’s a struggle getting some customers and even employees to follow basic security protocols, never mind ratcheting up to more demanding requirements. For all intents and purposes, some people appear to have given up the fight, resigned to the idea that no matter what precautions they take, some bad actor, some piece of malware, some combination of attack vectors will render useless their best effort at maintaining good security practices.
According to a Harris Poll in conjunction with financial vendor CSI last year that surveyed more than 2,000 U.S. adults about their views on cybersecurity, 15% of respondents said they were “not worried” about security — almost double (8%) what it had been two years prior. And the share of Americans worried about identity and card theft dropped from nearly three-quarters (72%) of consumers in 2019 to just 3 out of 5 (60%) last year, according to the poll. The survey’s authors see this as a kind of “fatalistic acceptance” where people have become so inured to scams, fraud, phishing, incursions and every other kind of cyber threat that they don’t bother following procedures.
And yet, giving up on security awareness training would be throwing out the baby with the bath water. Like most industry groups, the National Institute of Standards and Technology (NIST) also continues to recommend that all organizations administer a security awareness program. As defenses drop and breach costs mount, some experts have suggested that financial firms start using the stick as well as the carrot to incentivize secure cyber behavior and boost the return on investment from their awareness efforts.
However, Daniel Trauner, senior director of security at Axonius, believed this “gotcha style” of forcing security adherence can backfire (especially in a tough job market) and will not “be effective in the long term... or at all on their own.”
“Most employees who fall for these simulations end up associating negative feelings with security,” Trauner said, comparing aggressive or tricky security testing to "ambulance chasing" sales tactics. “This negative association gets in the way of the constructive relationship building between security and other areas of the business that actually leads to that long-term success.”
At companies where employees tend to have better cyber hygiene, Trauner said it's usually because the “security team has constantly instilled the idea that security is everyone’s responsibility over a long period of time. When people feel like they play a direct role in influencing the secure or insecure outcome of the entire business, this great responsibility and related sense of ownership will cause them to change their practices.”
“There's also a strong positive sense of teamwork and camaraderie where it's the entire company against the adversary and not every person for themselves,” he added.
Dan Lohrmann, field CISO at Presidio Inc., an IT services management company, noted that the top brass need to also practice what they preach, if they are going to be more effective in winning over their employees especially. (In other words, having a position at the top of the org chart is no excuse for leaving laptops unsecured, downloading unknown files or applications to devices with network access, or using more privileged access than necessary.) “Management needs to lead by example,” Lohrmann said, “and follow the same process and training given to other staff.”
Meeting people where they are at — philosophically and logistically — is increasingly important, especially with so many more financial employees working remotely for the foreseeable future.
“Given today’s hybrid work model, it’s critical to find ways to establish scalable methods, processes and awareness training that can ensure unified security across all locations, no matter where employees work,” said Amit Bareket, the CEO and co-founder of Perimeter 81, a cloud and network security company.
To that end, Bareket, who previously served in the Israeli Defense Force’s elite Unit 81, recommended regular online training sessions that feature interactive quizzes and incentives to “engage” employees in the process.
“It’s imperative to create an open environment where every employee feels comfortable to ask questions,” Bareket said, “or elevating any activity that appears unusual or suspicious.”