"The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.”
This was the warning from Elizabeth Denham, the UK’s Information Commissioner, issued following the Equifax cybersecurity breach. The credit reference agency was fined the maximum amount of half a million pounds in September 2018, for failing to protect the personal information of up to 15 million UK citizens during a cyberattack. It’s a reminder – if any were needed – of the impact and consequences of a serious breach.
The breach occurred despite cybersecurity being the top business priority in the sector for the second year running, according to EY’s 2019 Banking Barometer survey. In response to internal and external threats, banks are investing heavily in technologies such as artificial intelligence (AI) and advanced analytics. Technology is unquestionably a crucial weapon in tackling the cybersecurity threat, but it can’t be the only defence.
Leveraging people in addition to your investment in technology is a key success factor in helping to combat threats. Indeed, in the Equifax breach both “human error and technology failures” were cited.
The truth is, managing the evolving risks around cyber and data security requires investment in technology and people. Every single financial services employee has a role to play, and businesses can support their knowledge and skills in cybersecurity with appropriate training.
Detailed analysis of cybersecurity breaches reveals that people are often the biggest vulnerability for organisations, not malicious attacks. For example, almost 90% of data breaches self-reported by organisations to the UK’s Information Commissioner’s Office are down to human error. And a global survey found that almost a fifth of incidents were caused by mistakes made in the workplace. Why is this the case? It’s because hackers are exploiting their lack of security knowledge.
How do your people use their work computers or devices? Do they have secure passwords? Can they spot a phishing email? Do they know the consequences of clicking onto a link? Do they know what constitutes protected data? Have they been advised how to escalate an issue if they do spot a risk?
Cybercriminals and hackers are looking for one weak link, the single error that allows them to breach the system and wreak havoc. For this reason, one of the biggest challenges facing financial services businesses isn’t around training their security specialists, it’s raising the level of basic cybersecurity skills among everyone, from the boardroom to the general workforce.
Mass appeal and impact
Of course, these workers don’t need the same level of training as your specialist cybersecurity teams. But they do need to know enough to be aware of possible threats and how to instigate preventative action. Your workforce are your eyes and ears and they need to recognise the warning signs of a cyberhack. Tailoring the training to meet their needs is a balancing act between overwhelming them with too much detail and giving them enough practical knowledge to play their role in cybersecurity.
Here are four tips to think about when planning cyber and data security training for your workforce:
1. Allow room for failure
Knowing what to do is one thing but applying that knowledge to safeguard the business is another. The best cybersecurity training allows people the opportunities to try it out for themselves; if they get it wrong, that’s fine, and better in a learning context than on the job. Learning games are the ultimate sandbox, enabling people to play repeatedly until they master the game (and the learning.) As an example, our new game, Cybersecurity Sorted enables people to practise spotting cyberthreats, such as phishing emails, over and over again, making it easier to apply their knowledge in the real world, when it really matters.
2. Make it interesting
Cybersecurity is business critical for any bank or financial institution and given the seriousness of the subject the temptation is to make learning about cybersecurity, well, serious. However, if that tips over into dull then people are less likely to engage with the training and that will cost your business. Today, people expect rich, multi-media digital experiences in their personal life and the same standards need to be applied to their learning in the workplace. Using creativity to bring the topic to life and connect with your people, really will help the message get home. This could mean trying a new approach to cybersecurity training, such as a learning game, where people are motivated to participate because they enjoy the experience.
3. Focus on what’s most important
Most people in your organisation won’t need to know your cyber and data security policy off by heart. Instead, they need the key knowledge that will help them protect your business on a daily basis. By focusing on the most important areas rather than the unnecessary detail, your learning programme will be far more effective. By breaking down the topic into manageable chunks, your people will find it quicker to learn and easier to remember, especially if they work in busy, customer-facing roles. Microlearning is particularly effective in this instance with learning activities taking just a few minutes each day to complete.
4. Engage with stories and scenarios
Cyber risk may be keeping the C-suite awake at night but for it to matter to colleagues across the company it needs to be relatable to their world and experience. Finding the human stories behind the statistics on cybercrime is important to enable all your colleagues to connect with issues around cyber and data protection. Building your learning around these stories is an effective way to structure the learning and allowing people to explore the narratives in scenarios, where they can make decisions and influence what happens next, will further engage your audience. We used this approach in our award-winning blended learning programme for AXA, the global insurance brand by using real customer stories throughout the experience.
In conclusion, supporting all your colleagues to act as part of your corporate firewall has always made sense, but never more so than now, given the escalating cyberthreat to financial institutions around the world. Equipping them with the knowledge, skills and confidence they need to do the right thing at the right time starts with the best training.