The posture of the information security culture is definitely reflected in the sector’s well-oiled communication channels. As cyberthreats constantly and rapidly evolve, it is crucial that effective communication processes are implemented. This allows employees to receive accurate and relevant information with ease, having an impact on the organization’s ability to prevent and respond to a security breach.
In IBM’s 2020
Collecting data from over 120,000 employees in 1,107 organizations across 24 countries, KnowB4’s
Moreover, with better communication comes a better attitude. Both banking and financial services scored 80 and 79 in this department, respectively. Good communication is integral to facilitating collaboration between departments and offering a reminder that security is not achieved solely within the IT department; rather, it is a team effort.
It is also a means of boosting morale and inspiring greater employee engagement. Again, attitudes are evaluations, or learned opinions. Therefore, by keeping employees informed as well as motivated, they are more likely to view security best practices favorably, adopting them voluntarily.
Predictably, the industry ticks the box on compliance as well. The hefty fines issued by the U.K.'s Information Commissioner’s Office in the past year alone, including Capital One’s $80 million penalty, probably play a part in keeping financial institutions on their toes.
Nevertheless, there continues to be room for improvement. As it stands, the overall score of 76 is within the "moderate" classification, falling a long way short of the desired 90-100 range. So, what needs fixing?
There is often the misconception that banks and financial institutions are well versed in security-related information due to their extensive exposure to the cyber domain. However, as the cognition score demonstrates, this is not the case — its score dawdles in the low 70s.
This illustrates an urgent need for improved security awareness programs within the sector. More important, employees should be trained to understand how this knowledge is applied. This can be achieved through practical exercises such as simulated phishing, for example. In addition, training should be tailored to the learning styles as well as the needs of each individual. In other words, a bank clerk would need a completely different curriculum versus IT staff working on the backend of servers.
By building on cognition, financial institutions can instigate a sense of responsibility among employees as they begin to recognize the impact that their behavior might have on the company. In cybersecurity, success is achieved when breaches are avoided. In a way, this negative result removes the incentive that typically keeps employees engaged with an outcome. Training methods need to take this into consideration.
Then there are norms and behaviors found to have strong correlations with one another. Norms are the compass from which individuals refer to when making decisions and negotiating everyday activities. The key is recognizing that norms have two facets, one social and the other personal. The former is informed by social interactions, while the latter is grounded in the individual’s values. For instance, an accountant may connect to the VPN when working outside of the office to avoid disciplinary measures, as opposed to believing it is the right thing to do. Organizations should aim to internalize norms to generate consistent adherence to best practices regardless of any immediate external pressures. When these norms improve, behavioral changes will reform in tandem.
Building a robust security culture is no easy task. However, the unrelenting efforts of cybercriminals to infiltrate our systems oblige us to press on. While financial institutions are leading the way for other industries, much still needs to be done. Fortunately, every step counts. Every improvement made in one dimension has a domino effect in others.
