A defined security culture is helping the financial industry, though the fundamentals should apply to any business.
I remember watching a bank being built. After the concrete foundation and ground floor were in place, workers began building a massive concrete and steel box right in the middle of the building’s floor. It finally dawned on me: That was the vault. It seemed impenetrable.
Financial institutions are hypervigilant when it comes to security. Ever since money and anything of value had to be physically protected, banks had it pretty much figured out.
However, cyber bank robbers found new ways to sneak in over the internet and move money to accounts outside the jurisdiction of the country where the victim financial organization resides. Even though cybersecurity experts do their best to plug all those avenues, cybercriminals are a wily bunch, and it’s hard to keep them from figuring out some way to ply their trade–and sadly, they did–we are now the weak link. As proof, Verizon’s 2020 Data Breach Investigations Report has identified miscellaneous error (human mistakes) and web application attacks as the top two causes for breaches in the financial and insurance sectors.
SEE: Security Awareness and Training policy (TechRepublic Premium)
The culture of security
To combat the human weak link, Javvad Malik, security awareness advocate at KnowBe4, in his Global Banking & Finance Review commentary The Psychology Behind a Strong Security Culture in the Financial Sector, suggests that business leaders try a new strategy: Develop a security culture within their organization.
“Many leaders across the globe, realizing a strong security culture is of increasing importance, not solely for fear of a breach, but fundamental to the overall success of their organizations,” writes Malik. “Yet, the term lacks a universal definition, and its interpretation varies depending on the individual.”
Malik adds, “This speaks to the importance of building a single, clear, and common definition from which organizations can learn from one another, benchmark their standing, and construct a comprehensive security program.”
How to develop a security culture
As to what a well-developed security culture consists of, Malik suggests the following building blocks are needed:
- Compliance: Written security policies and the extent that employees must adhere to them.
- Attitude: Individuals must develop a mindset–learned opinions reflecting the organization’s security protocols–on what to do or say.
- Behavior: When the time comes, employees must act or make decisions based on their learned opinions.
- Cognition: Attitude and behavior are meaningless unless there is an understanding, knowledge, and awareness of security threats and issues.
- Communication: Cybercriminal activity is not static, there must be methodology to share security-related information in a timely manner.
Malik warns, “All of these dimensions are inextricably interlinked; should one falter so too would the others.”
What financial institutions do right in terms of security
According to KnowBe4’s Security Culture Report 2020, banking and financial sectors were among the best performers when incorporating a security culture. What’s interesting is how Malik focused on the importance of having well-oiled communication channels.
“As cyber threats constantly and rapidly evolve, effective communication processes must be implemented,” explains Malik. “This allows employees to receive accurate and relevant information with ease; having an impact on the organization’s ability to prevent as well as respond to a security breach.”
He then offers an example: “In IBM’s 2020 Cost of a Data Breach study, the average reported response time to detect a data breach is 207 days with an additional 73 days to resolve the situation. This is in comparison to the financial industry’s 177 and 56 days.”
Better communications mean better attitudes
A benefit of having good communications is that employees have a better attitude. “Good communication is integral to facilitating collaboration between departments and offering a reminder that security is not achieved solely within the IT department; rather, it is a team effort,” adds Malik. “It is also a means of boosting morale and inspiring greater employee engagement.”
Cognition is lacking
Even in the banking industry, the ability to identify a security threat as it’s happening needs improving, according to Malik. He adds, “By building on cognition, financial institutions can instigate a sense of responsibility among employees as they begin to recognize the impact that their behavior might have on the company.”
Getting a consensus on anything is difficult, let alone something as complex as an all-encompassing culture of security. However, like most things that are effective, there is a cost, and likely that cost is less than the fallout from suffering through a data breach.
Malik concludes, “While financial institutions are leading the way for other industries, much still needs to be done. Fortunately, every step counts–every improvement made in one dimension has a domino effect on others.”