4 ways to equip everyone in financial services for their role in cyber security
Posted on Apr 04, 2019
Games & gamification
"The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce.”
This was the warning from Elizabeth Denham, the UK’s Information Commissioner, issued following the Equifax cyber security breach. The credit reference agency was fined the maximum amount of half a million pounds in September 2018, for failing to protect the personal information of up to 15 million UK citizens during a cyberattack. It’s a reminder – if any were needed – of the impact and consequences of a serious breach.
The breach occurred despite cyber security being the top business priority in the sector for the second year running, according to EY’s 2019 Banking Barometersurvey. In response to internal and external threats, banks are investing heavily in technologies such as artificial intelligence (AI) and advanced analytics. Technology is unquestionably a crucial weapon in tackling the cyber security threat, but it can’t be the only defence.
Leveraging people in addition to your investment in technology is a key success factor in helping to combat threats. Indeed, in the Equifax breach both “human error and technology failures” were cited.
The truth is, managing the evolving risks around cyber and data security requires investment in technology and people. Every single financial services employee has a role to play, and businesses can support their knowledge and skills in cyber security with appropriate training.
Detailed analysis of cyber security breaches reveals that people are often the biggest vulnerability for organisations, not malicious attacks. For example, almost 90% of data breaches self-reported by organisations to the UK’s Information Commissioner’s Office are down to human error. And a global survey found that almost a fifth of incidents were caused by mistakes made in the workplace. Why is this the case? It’s because hackers are exploiting their lack of security knowledge.
How do your people use their work computers or devices? Do they have secure passwords? Can they spot a phishing email? Do they know the consequences of clicking onto a link? Do they know what constitutes protected data? Have they been advised how to escalate an issue if they do spot a risk?
Cyber criminals and hackers are looking for one weak link, the single error that allows them to breach the system and wreak havoc. For this reason, one of the biggest challenges facing financial services businesses isn’t around training their security specialists, it’s raising the level of basic cyber security skills among everyone, from the boardroom to the general workforce.
Mass appeal and impact
Of course, these workers don’t need the same level of training as your specialist cyber security teams. But they do need to know enough to be aware of possible threats and how to instigate preventative action. Your workforce are your eyes and ears and they need to recognise the warning signs of a cyber hack. Tailoring the training to meet their needs is a balancing act between overwhelming them with too much detail and giving them enough practical knowledge to play their role in cyber security.
Here are four tips to think about when planning cyber and data security training for your workforce:
1. Focus on what’s most important
Most people in your organisation won’t need to know your cyber and data security policy off by heart. Instead, they need the key knowledge that will help them protect your business on a daily basis. By focusing on the most important areas rather than the unnecessary detail, your learning programme will be far more effective. By breaking down the topic into manageable chunks, your people will find it quicker to learn and easier to remember, especially if they work in busy, customer-facing roles. Microlearning is particularly effective in this instance with learning activities taking just a few minutes each day to complete.
2. Allow room for failure
Knowing what to do is one thing but applying that knowledge to safeguard the business is another. The best cyber security training allows people the opportunities to try it out for themselves; if they get it wrong, that’s fine, and better in a learning context than on the job. Learning games are the ultimate sandbox, enabling people to play repeatedly until they master the game (and the learning.) As an example, read about our GDPR game that teaches people the key principles of the new data protection rules while testing their skills at spotting sensitive data and avoid a data breach.
3. Make it interesting (even dramatic)
Cyber security is business critical for any bank or financial institution and given the seriousness of the subject the temptation is to make learning about cyber security, well, serious. However, if that tips over into dull then people are less likely to engage with the training and that will cost your business. Today, people expect rich, multi-media digital experiences in their personal life and the same standards need to be applied to their learning in the workplace. Using creativity to bring the topic to life and connect with your people, really will help the message get home. Think of the excellent DigiSafe adverts by Barclays, although they are aimed at customers not employees, they show just how powerful emotion and drama can be.
4. Engage with stories and scenarios
Cyber risk may be keeping the C-suite awake at night but for it to matter to colleagues across the company it needs to be relatable to their world and experience. Finding the human stories behind the statistics on cybercrime is important to enable all your colleagues to connect with issues around cyber and data protection. Building your learning around these stories is an effective way to structure the learning and allowing people to explore the narratives in scenarios, where they can make decisions and influence what happens next, will further engage your audience. We used this approach in our award-winning blended learning programme for AXA, the global insurance brand by using real customer stories throughout the experience.
In conclusion, supporting all your colleagues to act as part of your corporate firewall has always made sense, but never more so than now, given the escalating cyber threat to financial institutions around the world. Equipping them with the knowledge, skills and confidence they need to do the right thing at the right time starts with the best training.
You may also be interested in
We look at the role of digital learning in strengthening customer centricity in financial services by building customer rapport and empathy.
How can compliance training deliver the ethical behaviours that customers expect from today’s financial services industry?
Join the Sponge team
Great people are fundamental to Sponge. We employ many industry-recognised leaders and are busy growing the next generation of leaders. We don’t just look for talented people who can do a particular job – we look for people who share our passion and values.Read more