Financial institutions are prime targets for malicious threat actors due to the valuable assets and sensitive data their systems contain. Financial services organisations are 300 times more likely than other companies to be targeted by a cyber attack. These attacks have become more sophisticated in recent years, with the financial industry experiencing threats such as phishing, wire fraud, and social engineering.
Last year alone, we witnessed multiple cyber incidents within the financial sector with some of the most prominent including the Evolve Bank & Trust ransomware attack, SRP Federal Credit Union data breach and the Cabot Ireland cyber attack. As a result, financial organisations have become trailblazers in cyber security by default, to protect their people, sensitive data, and systems from the adversaries.
Although multiple factors can contribute to the escalation of an incident, the human element remains a significant concern for many organisations, as it plays a role in 82% of all cyber attacks. To keep up with the wide array of imminent threats, organisations within the sector must prioritise educating their workforce about these risks and improve risky behaviours. But how?
Tackling Risky Security Behaviours
Over time, traditional methods of security awareness training have failed to effectively change risky security behaviours within organisations. Historically, conventional approaches to security awareness training have resulted in low retention rates due to inconsistent and tedious content which doesn’t provide individuals with context of real-world threats. As a result, individuals remain unprepared and vulnerable to imminent cyber attacks.
Alternatively, financial institutions should consider taking a different approach to their existing security awareness strategy, to achieve long term behavioural change. This can be accomplished through taking a data-driven approach to security awareness training, which includes implementing solutions that can assist with monitoring behavioural change and tracking engagement metrics to help build a bigger picture of the issue at hand and identify ways to improve them.
Currently, it remains a challenge for organisations to detect risky behaviours within their teams. In fact, last year we asked 163 cyber security professionals whether their organisation had a way to identify the user groups who are carrying out risky behaviours, and 49% admitted that they did not for all behaviours causing concern. Consequently, this blind spot could hinder an organisation’s ability to improve behaviours with a cause for concern and drive long term behavioural change.
Meeting Compliance By Tracking Metrics
Whilst long term behavioural change wasn't a traditional priority for organisations in the past, with the recent surge of cyber attacks, it has now become a key focus. Tracking metrics offers organisations an effective long-term solution, and most importantly the ability to build a concrete and effective security awareness strategy. It involves understanding why these behaviours occur, how frequently they happen, and identifying ways to help prevent them.
Measuring engagement rates can also help financial institutions remain compliant with important financial regulations such as the Digital Operational Resilience Act (DORA), while also providing
unique visibility into risky behaviours within the organisation. For instance, DORA requires financial institutions to implement robust cyber security measures to enhance cyber resilience. This may involve ensuring that employees are well-trained to recognise and respond to imminent threats. Additionally, DORA mandates that organisations evaluate all aspects of their operational resilience, including vulnerabilities related to employee actions. While it doesn’t explicitly require security awareness training, it suggests that educating employees to identify and prevent threats is essential.
Behaviour based metrics can assist organisations to adapt their security awareness campaigns and align their content, to ensure that they are more appealing to the target audience.
While some security leaders may hesitate to adopt this approach, it’s essential to maintain an open mindset, test the theory, and analyse the data to see the direct link between behavioural change and individuals’ actions. However, our clients in the financial space have already experienced first-hand the benefits of this approach, by achieving an 80% average engagement with Redflags® stories, and 86% of staff self-reported spotting phishing test emails.
A leading UK retail and business banking provider recently implemented Redflags® for 2,300 employees across four targeted groups, delivering real-time “nudges” to reinforce key security behaviours, telemetry from silent “trackers,” and longer-form security “stories” to improve cyber security awareness within teams.
During Phase 1 of the deployment, the banking provider achieved a 94% average engagement with a significant decrease in risky behaviours including a 48.4% decrease in clicks on links by new or unknown email addresses in outlook and a 11.3% decrease in users leaving their screens unlocked.