Arguably, financial institutions are doing well with security awareness training, especially when compared with other industries, owing to the industry’s compliance demands and the extreme threat faced by these organizations.
But is commitment of focus and resources to ensuring employees know how to protect their networks and data ever really enough, given the astronomical leap in potential cyber-encroachment?
“Whatever the industry is currently investing in cybersecurity awareness is not enough, and in many cases, is misplaced,” said Shiran Grinberg, director of research and cyber operations at Cynet, an autonomous breach protection company.
“Phishing is the No. 1 cause of cyber incidents, which means unaware employees are the No. 1 target for threat actors to gain initial access to an organization's environment,” Grinberg said, adding that this means financial firms must “invest more to protect employees who have access to sensitive data.”
But despite their commitment and investment, “security awareness is always important," said Guy Moskowitz, CEO of Coro, which provides a secure platform for mid-sized businesses. "But there are two reasons it is not enough."
“First, education must be ongoing — not an annual/quarterly occurrence — as the threats evolve so quickly and the attackers are continuously becoming more sophisticated and more devious,” Moskowitz said. “And second, offloading cyber responsibility to the end-user is not realistic.” The concept that an end-user expecting easy access — employee or customer — will spot and “neutralize an attack before it hits the user’s mailbox” should, unfortunately, not be expected by a financial institution.
"In the battle between convenience and security,” Moskowitz said, “convenience always wins."
Indeed, this simple axiom seems to be at the heart of financial security awareness and practice. Employees and customers may be "aware" of the potential pitfalls of slipshod security behaviors, but they do not correct them because they are easy and familiar.
"Any security strategy that relies on end-users being trained to make subtle security distinctions is likely to fail,” said Rajiv Dholakia, senior vice president of products for Privacera. “Instead, invest in your infrastructure to protect your end-users from needing to make such choices.”
Case in point: While phishing emails are widespread, Dholakia recommends that rather than relying on employees to spot these nefarious emails, financial firms should instead invest in “phishing-resistant authentication infrastructure to render those attacks ineffective and spare your users the burden of those subtle distinctions."
Dan Lohrmann, field CISO at Presidio Inc., an IT services management company, said the best security awareness comes in the form of “training that is brief, frequent, focused and teaches people things they don’t already know. Boring training that is repeated over and over again will not work and is ignored by employees. But fun, engaging training that is gamified and changed on a regular basis does work in conjunction with other toolsets.”