How to increase cybersecurity awareness at your institution
October may be National Cybersecurity Awareness month, but the emphasis put on safeguarding customers’ digital data should be a top priority no matter the time of year.
by Kylee Wooten, Sageworks
In 2017, nearly half of the population had their data exposed after the Equifax breach. By the mid-point of 2018, there were already 668 total security breaches and nearly 22.5 million records exposed. Community banks and credit unions are turning to technology to create a more efficient lending environment, as well as a more millennial-friendly digital experience. While technology can be an invaluable investment for a financial institution, it is also imperative to instill proper security controls and protocols for those technologies within the organization.
In 2005, there were fewer than 200 significant security breaches in the U.S., vs. in 2017, when the number of breaches topped 1,300. While the business and medical sectors are faced with substantially more security breaches than the financial services industry, the number of security breaches at financial companies is certainly on the rise in recent years. The financial services industry encountered 69 breaches in 2017; meanwhile, by the half-way point of 2018, there had already been 84 breaches. Creating a digital experience for your customers and members goes beyond a beautiful website display or new online capabilities — it also means ensuring their information is safeguarded.
To create a culture of cybersecurity awareness at your financial institution, there are critical educational and preventative measures for employees, board members, stakeholders and vendors to acknowledge.
Build a proactive — not reactive — environment
One of the worst things an institution can do is to wait for something bad to happen before developing a robust cybersecurity system. Cybersecurity is not an occasional concern, but rather an everyday task that each employee at an institution should take seriously. Developing full buy-in from each employee at your institution is a critical first step to building a proactive culture of digital security. Emily Larkin, chief information security officer at Sageworks, suggests starting at the top with leadership and board members. “Get their attention by outlining the potential financial impact of a cybersecurity incident and breach,” Larkin said recently in a column for BAI Banking Strategies. “This is not a scare tactic, but a reality check and an education tool for those focused on growth and financials.”
Information security extends far beyond the IT team, and protective firewalls can only go so far. Larkin explains that employees at all levels should understand the financial implications of a breach, the reputational risk at stake, as well as the current vulnerabilities within an institution.
Align values with vendors
Purchasing software for an institution is big undertaking, not only financially, but also from a due diligence perspective. Your customers and members expect your institution to keep their data safe and secure, and your institution should uphold those same standards for any third-party vendors it partners with. Be sure that your institution’s vendors hold the same cybersecurity standards as your bank or credit union. McKinsey & Company recommends scheduling regular conversations with vendors to state the levels of security required to protect your institution’s information. During these discussions, devise clear recovery and compensation plans and take the time to understand exactly how your institution’s data will be used. Banks are viewed as the most trusted provider of data security, but they also bear the largest obligation to accountability should a breach occur. Be sure to fully vet and choose third-party vendors that will continue to allow your institution to uphold customers’ trust and pass regulatory scrutiny.
Educate employees and customers
Education is a virtually free way to thwart a cybersecurity attack at your institution. Oftentimes, individuals can compromise information simply because they don’t know any better. The banking industry is one of the top targets of hackers using phishing attempts to breach security. Phishing scams can include spoofed emails or a spoofed website. To better prepare your employees for potential phishing attempts, Larkin suggests implementing phishing tests at your institution. Many tools allow institutions to send phishing emails, track those that open the email and click on links or other attachments, as well as teach users how they could have spotted common phishing tricks. Phishing tests also allow institutions to implement and exercise response plans to better prepare employees for reporting suspicious activity.
Perhaps attackers are disguising themselves as your bank or credit union. Will recipients be able to distinguish your email from an attacker’s? On your institution’s website, you can include resources to help educate customers and members on the ways to identify potential phishing attempts. Provide frequent scam tactics, such as URLs or language, that attackers often use in their phishing attempts. Providing resources to your customers not only prevents customers from falling victim to phishing attempts, but it also strengthens your customers’ trust that your institution will keep their data secure.
There are many moving parts to developing a comprehensive strategy for cybersecurity awareness. Ensuring that every person that is part of your institution is committed to protecting its data and its customers’ data requires many different approaches. It’s important for financial institutions to understand that increasing cybersecurity doesn’t always mean purchasing more software. There are so many ways to bolster your security, simply by keeping employees, stakeholders and vendors educated and informed with up-to-date best practices and preventative measures.