The mistakes financial organisations still make when it comes to phishing

Oz Alashe, CybSafe: going about cybersecurity training in the right way

The financial sector used to have a rather simplistic, one-dimensional approach to cybersecurity. Firms spent billions to create and apply innovative technologies designed to stop the cyber-crooks in their tracks. But for a number of years now, the majority have changed tack. Financial organisations have come to realise that, even with the best and brightest minds on the case, there are still significant shortfalls to an approach based solely on circuits and code.

Cybersecurity’s principal, most persistent threat – human behaviour – is hardly unfamiliar to those in the sector: 46% of banks report that their customers are “frequently attacked”, and last year, 70% of banks reported financial fraud incidents that have led to a monetary loss. Notable examples include Tesco Bank in the UK, where customers were defrauded of £2.5 million, and Italian bank UniCredit where 400,000 client accounts were compromised.

Firms have an acute understanding that it’s not just the customer side that’s vulnerable- the threat to staff is also very real. As history has gone to show, that risk goes all the way to the top: embarrassing phishing attacks have pranked the Morgan Stanley CEO, James Gormley, and the Bank of England’s Mark Carney.

Justifiably, the majority of firms are now actively engaged in combating the threat posed to their staff and their customers via social engineering. The problem is, not everyone is going about cybersecurity training in the right way.

Where cybersecurity training goes wrong

Despite their questionable effectiveness, “traditional” forms of cybersecurity training are still far too common in the sector: many companies choose to give staff training manuals with the unreasonable expectation that staff will act on information, simply because they have read it. Others implement one-off training sessions. These have little impact due to the required concentration for the training to be consumed, and cybersecurity hygiene inevitably deteriorates over the course of the year.

Outdated strategies proliferate. Staff may be told to look out for poor spelling and grammar, but it’s a strategy that falls to pieces if and when staff are sent fraudulent emails with immaculate spelling and grammar. Training is usually taught only in the context of the working environment, despite the fact that social engineering attacks can be received anywhere and at any moment, and people respond to emails on their phones and tablets.

Blame cultures, where users are punished or shamed for clicking phishing emails, also persist. People are successfully phished for a variety of reasons – their emotional state, their personality, the quality and apparent authenticity of a fraudulent email – and threatening staff doesn’t change or reduce these drivers. Accusations only dent the relationship between employees and security at a time when IT teams need employees to trust them and to approach them with concerns, suggestions, and information about possible data breaches.

The finance industry has also become heavily reliant on lazy metrics and phishing their own staff. Naturally, there’s some merit to this approach; testing employees provides actionable feedback about what individuals and which departments might be susceptible. But statistics can prove distracting and even misleading if collected without thought. Organisations sometimes assume that if clicking rates for their phishing tests have fallen, then staff must be getting better at spotting rogue emails. But of course, you can get any result you want by modifying the emails you send out. Tests like these can never be a truly objective measure of defences.

The future of cybersecurity training

Current cybersecurity training practices in financial services are laden with misconceptions, assumptions, and less-than-optimal strategies. And while no cybersecurity strategy will ever be impenetrable, there are evidently positive changes that can be made.

Educational theory would be a good place to find improvements. Much research has been done into how adults assimilate new information and what constitutes effective learning.

It’s widely recognised, for example, that allowing individuals to control their rate of learning helps them to learn more effectively, that learning happens best when the instruction is related to real life experiences (Gestalt Theory), and that people learn more deeply from words and pictures than from words alone (multimedia principle).

While training should involve testing to ensure staff have retained and would be able to act on information, results should be treated with a healthy dose of scepticism. Cultures of blame caused by testing should be avoided at all costs. Training shouldn’t be about instilling fear; it should do quite the opposite. It’s a chance to empower staff.

Cyber-security training should be regular- it’s well documented within educational psychology that people digest more information in smaller, regular bites. Training should recognise that different people learn in different ways, and should embrace modern technology that enables it to be done at a time and place convenient for the individual.

Most financial firms now know that they to pay attention to the people aspect of cybersecurity strategy: failure to do so risks both the financial health of the company and corporate reputation. But more can always be done. The next step, now, is to modernise training practices in line with educational theory, and to introduce a culture of cybersecurity empowerment so that an organisation’s people become its first line of defence against cyber threats.

By Oz Alashe MBE, CEO, CybSafe