Connect with us
Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

TECHNOLOGY

A Culture of Cyber Security Throughout Financial Services Organisations

A Culture of Cyber Security Throughout Financial Services Organisations 39

A Culture of Cyber Security Throughout Financial Services Organisations 40

By Michael Cantor, CIO, Park Place Technologies

Financial Services organisations have long been a top target for cyber-attacks given both the nature of their financial transactions and the sensitivity of the data being held and processed. It is not just the digital transactions themselves that entice cyber criminals to regularly try and breach existing security protocols. Financial Services’ organisations hold full Personally Identifiable Information (PII) data sets of customers, including home addresses, social security numbers, banking details, transaction history, phone numbers, email addresses, and income information. 

When breaches occur with this level of dependency information, cyber criminals can go on to easily access accounts, copy payment cards and make fraudulent purchases. Unsurprisingly, breaches are incredibly bad news and high impact in this sector as they undermine customer confidence, create large compensation cases, and regularly cause large fines for non-compliancy of data protection regulations (GDPR).

CISOs and Risk Managers

Creation of a complete culture of cyber security that spans right across financial establishments has therefore been a high priority for CISOs and Risk Managers in the finance arena, who find themselves at the forefront of the fight to engineer, foster and encourage a culture of pervasive cyber security awareness. These financial CISOs are the risk management professionals who live and breathe with the knowledge that any lapse by any employee can leave the entire organization exposed and vulnerable, and who understand the importance and safety that adherence to a detailed cyber security plan, unique to their organization, brings. Financial establishments and financial services have, more than any other sector, seen heightened advances in digital innovations through internet banking, mobile apps, and instant payments – and all occurring within a relatively short timescale.  Such fast adoption of new technology platforms can cause a perfect storm of vulnerabilities largely through lack of familiarity, potentially increasing the finance industry’s attack vector. 

Given the scope of the threat, no one CISO or group of cyber security specialists can be completely responsible for stemming attacks or changing employee behaviours. The requirement to create a pervasive culture of accountability for cyber security in finance has never been more critical with such a surge in digital innovation. Some CISOs struggle to gain immediate internal acceptance of cyber initiatives as they invariably increase extra security processes or in more extreme scenarios, can initially decrease productivity levels as users grapple with additional layers and verifications. Instead, CISOs should embark on a graduated path of security sensitivities. There are three routes in this journey that CISOs need to develop. 

Understanding Roles

First, if they are to successfully increase defences, CISOs need to fully understand roles and processes in the existing regime to understand why and when job functions rely on systems that could pose and increase vulnerabilities. Secondly, as with all successful change, CISOs should spend the first months of cyber change initiatives on the ground, familiarising themselves with workflows and identifying suitable departmental ‘champions’ who can act as envoys or ambassadors. They will become practical flag bearers for ongoing change who will be on-point for communications for threat handling and remediation. These departmental cyber champions will also field questions and interactions about cyber concerns, as you would with a local Health and Safety Officer. Creating any true culture change needs to facilitate two-way communications from day one and needs to embrace everyone, so selecting the right team is essential. Recognised accredited cyber training relevant to the expected outcomes of a cyber ambassador is critical here as responsibilities move outside of IT. Not only does individualised cyber training bring empowerment and extra capabilities internally, but it leads to personal recognition that reflects positively on future career opportunities.     

Once a thorough understanding and a development of a network of cyber ambassadors has occurred, CISOs need to quickly move to developing extra employee security practices and providing direction on ongoing cadences. But these new or enhanced security prevention measures invariably add to the time that it takes for employees to finish jobs. Collective attitudes towards prioritising cyber – and by extension, creating a cyber culture – can only be changed by first educating employees on the importance and rationale in changing behaviours or methods of completing a task. This education process can take many forms, starting with various impacts via a series of simple simulated attacks that provide anonymised responses back to risk professionals to highlight gaps in knowledge and provide early indicators on how easily breaches can occur and how fast new cyber processes can be adopted. Additionally, real world documented examples are often used to show how breaches have been catastrophic in similar sized organisations. Ongoing interactive education is key to building a continued culture of security. Education and learnings on the impact of the breach ramifications – from board level to new recruits – is essential, at all times building cyber security as an enabler rather than another workflow process to achieve. Successful financial companies who avoid security breaches on an ongoing basis additionally bring the importance of cyber security into annual employee reviews, keeping it top of mind and primary to employees’ performance (and renumeration). HR therefore also play a key part determining a blame-free, but responsible and empowering security culture. 

Empowering Employees

Establishing a culture means by its very nature, that all are driving towards the same goal. That means gentle, but constant re-enforcement. And here’s where the third part of cyber empowerment needs a careful balance to avoid falling into negative scare tactics or blame. Financial CISOs, for their part, need to at all times, empower employees with the right tools and resources to intelligently identify, question and report suspected attacks. They also need to deploy easy to use, reliable preventative tools such as password managers and dependable email security software, while not neglecting their own role in the ongoing monitoring of asset discovery to see which assets and software are lurking in the infrastructure (or may have been recently added to the infrastructure). Endpoint security, especially in hybrid environments, is more important than ever in these environments. 

Once a culture exists internally, next, CISO attention must turn towards suppliers and partners who themselves can create an entry point for breach. This can be achieved by clearly setting the organisations cyber security expectations up front and asking suppliers to prove compliance and adherence towards these standards, but within a reasonable, pre-agreed timeframe. 

Creating this inherent cyber culture can only occur through ongoing education and training of employees on the ever-changing threat landscape and linking the importance and rationale to adopt best practices. To achieve an ongoing culture of acceptance, cyber security must clearly help employees get their jobs done so that being security conscious is a positive, ongoing experience for any financial services business. 

 

Continue Reading