The recent banking security breaches in Nepal highlight the gap in technology, processes, and people in managing critical information technology infrastructures. More importantly, there have been gaps in training and awareness of cyber security. All financial institutions and banks should establish multi-year cyber security programs with training and awareness as a critical component of the program. Training and awareness is one of the measures to decrease the security debt and risks of any organisation. Banking and financial institutions should also leverage the value of cyber security training and awareness in supporting their bottom lines.
Humans are major threat actors in cyber security – whether it’s an individual clicking a link in a phishing email or leaking information knowingly. The compromise in the system often starts with human actions. Research has shown that more than 60 percent of data breaches happening today are the result of an insider’s threat. Hence, training and awareness are critical controls in mitigating cyber risks. To develop effective cyber security training and awareness, banking and financial sectors need to clearly address certain action item. Some key ones are discussed below.
Assessment of training needs
What kind of cyber security training is needed for organisations? Training needs assessment is the first step in identifying the requirements of cyber security training. It varies from basic cybersecurity 101 to advanced training on applications and Applications Programming Interface (API) security as well as vendor specific tools and technologies. The training needs largely depend on employees roles, company size, industry, and the technology stacks used among other things. Employees’ roles help to identify the cyber security training needs. Further, working with external cyber security assessment firms help to formalise the requirements and develop multi-year training programmes.
Basic cybersecurity and privacy training to employees
While organisations’ size and scope of training depends on a lot of other business aspects, basic training in cyber security and privacy by all employees is needed. Basic training should focus on computer hygiene, data security, roles and responsibilities, physical security, and do’s and don’ts. This kind of training should be given during the onboarding of new employees and refreshed yearly or bi-yearly.
Training on privacy and compliance
Regulatory data compliance is important in any industry. Data compliance and privacy team should adhere to the regulatory requirements of the Nepal Rastra Bank (NRB), Payment Card Industry (PCI), EU General Data Protection Regulation (GDPR), and others as applicable. Failing to adhere to the compliance results in regulatory fines and impacts the goodwill of the institution.
Technology specific trainings to software engineers, security engineers, and engineering managers
This includes training on vulnerability management, threat modeling, digital forensics, application security, email security, cloud security, and technologies such as security information and event management (SIEM), intrusion detection system (IDS), file integrity monitoring, endpoint security, data loss prevention system, etc.
Phishing and simulation training
This is one of the most popular cyber security trainings in an organisation. Phishing has a large attack surface, the threat of malware, adware, and ransomware can be largely reduced by this kind of training. Organisations should invest heavily in email security and training so that phishing emails don’t reach the individual mailbox and helps to reduce the attack surface.
Internal processes and policies
Organisations should continuously train and monitor individuals on organisational internal processes and policies on incidence response, acceptable use policy, employee privacy statements, communications, data classification, etc. This ensures that confidentiality, integrity, and availability of the system is maintained.
Cybersecurity refreshment training
C-level (chief level) executives need to be well aware of the fundamentals of cyber security and privacy. They must support cyber security governance and cyber security programs including training and awareness. C-level executives must also understand the competitive advantages and innovation in financial products by enabling security and privacy in financial technologies. It is a known fact that most phishing emails are targeted to C-level executives who should be trained on phishing and work with cyber security teams to mitigate phishing attacks.
Establishing cybersecurity as a shared responsibility
It is the responsibility of management to establish a culture of security as a shared responsibility through training and awareness. A culture of cyber security should share values between different organisational units and accountability across the business units. Cyber security is not merely an IT problem but is the complex amalgamation of people, processes, and technologies.
The larger benefits of cyber security training and awareness include shared values between organisational units, auditing and third party compliance, increased predictability and reduced uncertainty of business operations, protection from legal liabilities, accountability and due-diligence, firm foundation for risk management, and security of customer data and privacy.