17 Jun Cyber Intrusions Replace Bank Robberies: Trillions Of Dollars At Risk
Security awareness training for employees is critical to reducing cybercrime incidents and damages
– Steven T. Kroll
Northport, N.Y. – Jun. 17, 2019
With global financial institutions a prime target for cyberthieves, security awareness training for employees is a critical feature in cyber defense.
Remember bank robberies from old western movies? A bad guy walks in, pulls out his six-shooter, and says, “stick ‘em up.” Cut to the exterior. He hops on his horse and rides away with bags full of money. Usually a guard or some other person shoots at him but misses and does little more than kick up dirt.
What would the scene look like if the bank teller had awareness training?
Cyberspace is today’s Wild West. And serious threats to financial institutions no longer come from dusty cowboys but instead through sophisticated criminal and government-sponsored networks that use computers, ransomware, social engineering, and business email compromise (BEC) to steal trillions of dollars.
“If you look at bank robberies — people actually walking in — the statistics are low,” says Paul Caulfield, chief risk officer at Israel Discount Bank (IDB). “With information and cyber, it really is a new level of risk that we’re facing.”
“That money is being used to either launder and continue illicit operations — drug trafficking, human trafficking — and state actors trying to do incredible damage to companies and countries,” adds Caulfield.
Global financial institutions have multiple risks within their organizations. Caulfield notes liquidity, markets, financial crimes, regulatory compliance, consumer protection, and personal data as potential entry points for hackers. He oversees risk management for one of the largest Israeli-owned financial institutions with clients throughout the U.S., Latin America, and strong ties with Israel.
Cybersecurity chiefs must develop impenetrable defenses that can be applied to any threat, crime, and attack vector, especially at an organization as large and diverse as Israel Discount Bank. Obviously, technology and hardware serve their purposes, but, as we’ve seen, they can be very limiting and even fail.
“All of that tech is deemed completely useless,” says Kyle Metcalf, CEO at Inspired eLearning, “if a hacker gets someone to hand over their credentials and walks in the front door.”
One way to deter cybercriminals from infiltrating financial institutions — and bolster cybersecurity technology — is by providing employees with security awareness training, a fast-growing market in the cybersecurity economy.
The process is simple. Training your employees with the knowledge and skills that detect phishing scams, vishing scams, social engineering, among a slew of other threats arms them against cybercrime — and they become the last line of defense.
“You hope in the line of defense type strategy that if the first line misses it, the second line catches. If the second line misses it, then the third line catches it — and that’s people,” says Caulfield.
Awareness training is often an afterthought when it comes to an organization’s security posture because many people, even C-Suite officers and board members, don’t buy in to the whole program.
Caulfield recalls a time when security awareness training involved looking at boring PowerPoint slideshows that seemed to go on endlessly, the purpose being just to check a box. He adds that the training today is never dry and always seems to have a point to it, which makes the program an effective security strategy.
“We use things like gamification,” says Metcalf. “We put a lot of thought and psychology into the courses themselves so the information is bite-size. Retention needs to be really high.”
Once the user finishes up an education module, she must take an assessment, which is then compared to a pre-assessment. “A hundred times out of a hundred you’re going to see someone improve,” says Metcalf. “And then from there it’s all about reinforcement and phishing simulations.”
Both Metcalf and Caulfield believe it’s not a matter of creating entertaining training courses for users. The organization has to celebrate employees’ success and empower them to make the right decisions and act with autonomy. This is done through a security first culture, according to Metcalf, and adopting the mindset that cybersecurity is a part of everyone’s job description.
If there is no security posture within an organization, the consequences are extreme. As Caulfield says, “the lights are going to go off,” referring to the episode in Ukraine. And “if you have nothing in place, you’re toast,” adds Metcalf.
I prefer to eat toast with the lights on. Do you?
– Steven T. Kroll is a public relations specialist and staff writer at Cybercrime Magazine.
Sponsored by Inspired eLearning
At Inspired eLearning, we are committed to delivering eLearning solutions of the absolute highest quality, ones which don’t simply check a box, but which drive positive and measurable changes in organizational culture as well. We want to help clients nurture and enhance workforce skills, protect themselves against cyberattacks and regulatory violations, and maximize the return on their investment in organizational training with our eLearning for employees.