Despite several technological advances, phishing continues to occupy top spots in lists of the most prolific cybersecurity risks. Recent research shows that phishing caused losses of $52 million in the United States alone.
Why are email inboxes so vulnerable to malicious attacks via phishing? The lack of effective cybersecurity education is an easy reason to point to. Most banks recognize the importance of cybersecurity but fail to translate the risks of a breach to their employees.
Here’s how banks can protect their customers’ data and their employees’ inboxes from phishing attempts through better education.
Focus on behavioral change
Most banks’ cybersecurity training programs go a bit like this: The bank gathers all non-technical employees in a hall, has its security team deliver a lecture with a few slides detailing breach statistics, and tries to scare its employees into doing the right thing.
Needless to say, this approach is not working. Instead of viewing employees as a risk, it’s time for banks to begin viewing them as a bulwark against phishing attacks.
To induce this attitude, banks must focus on changing their employees’ behaviors under stress instead of making them aware of what might create the stressful situation. For example, instead of telling employees to watch out for malicious emails, banks must educate employees on the right actions that will help them spot these emails.
The best way of doing this is to run simulations where employees are free to fail and learn new behaviors. Employees can even test their judgment and receive instant feedback in a safe environment. This situation is opposed to a real-world environment where a breach offers the only form of feedback.
Simulation platforms also give employees a chance to review progress and view learning paths. A non-technical employee’s skills will be very different from a technical employee’s. Giving both employees similar training paths doesn’t make sense, yet this is what banks do regularly.
Customizing learning paths and offering constructive feedback throughout is the way forward.
Install security as a founding principle
Most banks communicate the importance of security in negative terms. They highlight the risk of breach, the negative impact on the bank’s brand, and the potential career damage an employee falling victim to phishing experiences.
These fear-based tactics don’t work when an employee receives a fake email from a person presenting themselves as their manager. An employee trusts the manager persona and is unlikely to ignore a demand from that entity. Instead, banks must adopt a positive approach and make security a part of the bank’s identity.
For instance, instead of trying to scare employees into not clicking malicious links, the bank must install policies where an employee can quickly verify if an email is a phishing attempt. Having a security person on call or giving them an automated tool to use are great options.
These options do not hinder the employee’s daily workflow and reinforce the need for security. It makes the employee feel as if they’re a part of the security apparatus, not a hindrance. Processes are the key to installing security as a culture.
Tying security policies like shredding important documents or disposing of them in secure bins to cybersecurity practices is essential. Employees must understand that everything they do is critical and their actions matter. Currently, bank employees struggle to connect physical document security to cybersecurity.
By establishing this link, banks can leverage an employee’s existing knowledge to boost cybersecurity policies, reducing the burden on its security teams. Coupled with constant cybersecurity training in simulated environments, banks will soon create a robust security posture that has employees looking out for phishing attempts.
Set communication templates
Emails contain a wide range of data, and bank employees use them to communicate with various stakeholders. Malicious actors use this to their advantage by posing as someone else and tricking employees into downloading malware.
One way of preventing this situation is to let employees know what kinds of communication are acceptable and how they ought to communicate. For instance, setting a communication template will help employees instantly identify emails that deviate from that norm.
An attacker on the outside is unlikely to know internal comms templates and will send emails in a format that employees can easily identify as noncompliant. While installing such a process sounds heavy-handed, it’s the best way of helping employees get past the aura of a fake identity.
For example, most employees will automatically click an email from the bank’s CEO. However, if they notice the communication format is wrong, they’ll get past the fact that the CEO persona has sent that email. With their thinking thus engaged, they’re less likely to click on a malicious link.
These templates are a part of company culture, and much depends on how banks communicate their importance. Again, a fear-based approach hardly works. Banks must look at positive methods of enforcing them.
- Why Local Values Are Crucial to Cloud Infrastructure Management - April 15, 2024
- Navigating the Future of SEO Content Writing: AI and Beyond - December 1, 2023
- 3 Phishing Education Tips for Banks to Prevent Data Breaches - November 8, 2023