It is oft-said that the weakest link in the security chain is the human operator — be they an employee or even a customer.
To that end, banks, credit unions, investment firms and insurance companies have embraced “security awareness training” over the past dozen years or so in effort to bring their people into the cyber-hygiene fold, to get them to be part of the solution, not the problem. Indeed, close to half of business leaders (47%) claim that “human error” was at fault for breaches they experienced, according to research conducted by Shred-It.
In other words, financial firms have led these awareness programs, using internal IT security staff and external consultants, with the intention of ensuring their employees would hold to basic security practices like using strong passwords, which they change on a regular basis; embracing multi-factor authentication, if that’s required; not sharing their work computer or other devices with colleagues or friends; and not using external devices (like their own personal mobile device or a USB they pick up).
“It's no surprise that security awareness training is increasing in popularity, but I'd wager that the unchanged or declining effectiveness of such training is due to the type of training used,” said Daniel Trauner, senior director of security for Axonius. “Everyone wants a cheap, quick-to-implement, and one-time solution to the perpetual problem of human behavior.”
Much of this training comes in the form of simulated phishing or other exercises designed to trick employees, which “is both straightforward to implement and easy to measure," Trauner added.
The rules can vary widely, even within the financial sector, depending on what business the institution conducts and the role of the employees themselves. However, as financial fraud has been on a rapid rise during the past two years (growing even faster than it had been), getting financial employees to stick to the rules has been a challenge, especially at a large organization where people might often be working remotely. According to Trend Micro, ransomware attacks on banks climbed by a staggering 1,318% last year, while basic fraud cases increased by 238%.
Over the past couple of years, with so many employees working remotely full- or part-time and the pressures pandemic has wrought, employees have arguably become sloppy and overwhelmed. After two years of on-again, off-again lockdown, mask-wearing and general stress, Tessian research found that 56% of IT security executives believe that employees have some bad cybersecurity habits. It says 1 in 3 employees believe they can conduct riskier behavior when working remotely. This, in turn, has led to unintentional — as opposed to malicious — insider risk.
According to recent research released by Code42, the financial industry is doing better than most sectors when it comes to building out security awareness and developing insider risk programs — with more than 2 out of 5 (41%) of financial firms conducting employee data security training weekly, and another 19% doing it monthly.
Yet, the same research found that more than three-quarters (78%) of the financial survey respondents believe that employee data security training should happen more often, and a full half of financial executives (50%) think their organizations should “completely overhaul” how they do data security training.
