Financial services firms must do more to educate employees about cyber security, according to the FCA (Financial Conduct Authority).
In a report published last month, the FCA urged organisations to tackle staff awareness training at all levels, and to ensure the lessons are simple and appropriate to the environment that employees work in.
The findings are the result of a discussion between 175 organisation, aiming to address security concerns in the fund and investment management, insurance, retail banking, and retail investment and lending sectors
What should financial organisations be doing?
Organisations need to make staff awareness training a board-level priority. The FCA report suggests that an enterprise risk management approach can “help executives place cyber risk within the appropriate context”, and help senior staff consider that context when running their business. Staff awareness training is a crucial part of this.
Ideally, financial organisations should go beyond the broad strokes of cyber security best practices and provide employees with in-depth, granular programmes that are tailored to the risks they face.
Senior personnel should not be exempt. BEC (business email compromise), which targets high-level employees, is a major security risk, and needs to be addressed head-on.
The report suggests that organisations run workshops with executives to help them understand risks that are specific to them and how to stay safe. Recent news stories are a great way of explaining how attacks work and the consequences they can have.
Employees across the organisation should also be taught about who might instigate attacks and why. One way to do this is to create profiles of the various types of culprit, such as state-sponsored attackers, profit-seeking criminal hackers, malicious insiders and negligent employees.
With this information, the organisation can break down the methods each threat actor might use, and explain how employees can mitigate the risk. For example, they can help prevent criminal hacking by keeping a close eye out for suspicious emails and ensuring they don’t click fraudulent links.
Similarly, employees can avoid committing accidental breaches by taking precautions whenever they transfer sensitive data. This includes steps such as not leaving removable devices lying around, and checking that emails containing privileged information are sent to the correct recipients.
Recruit champions
According to the FCA, you can ensure that your organisation maintains these practices by recruiting cyber security ‘champions’.
These should be influential members of staff who understand cyber security issues and are able to bridge any gaps between cyber security issues and the organisation’s defence technologies. This gives the organisation a clear sightline of the business that technology and security functions cannot always provide.
The only problem is that not every organisation has influential employees who have the time to perform these tasks. In fact, part of the reason cyber security is such a big problem is because organisations are already understaffed and under-skilled.
This doesn’t mean you can’t have a cyber security champion, though. It just means you might have to turn to a third-party solution, such as our Cyber Security as a Service.
How Cyber Security as a Service helps
One of the biggest challenges the financial sector faces is finding qualified personnel to implement and maintain their cyber security practices. This is particularly true for those that don’t have the budget to employ full-time practitioners.
With our Cyber Security as a Service solution, you can get all the guidance you need without the overhead. Our team of experts will handle your cyber risks and educate employees, allowing you to focus on what you do best – driving your business forward.
Backed by years of cyber security experience and a deep understanding of the challenges organisations face, we can help secure your organisation and provide you with a simple, adaptable way of addressing your cyber security needs.