Megan Butler, the FCA’s Executive Director of Supervision – Investment, Wholesale and Specialists, recently gave a speech advising firms that cyber security is a people risk, not just a technology risk. So what kind of risks do staff pose and what role does cyber security training play? We look into the research.
Organisations see frontline employees as a key risk
Recent research suggests organisations recognise that their own staff pose the biggest cyber security risk.
The 2018 Insider Threat Report surveyed 472 cyber security professionals to gain insights into how organisations view insider threats (defined as security issues arising from people within the organisation).
More than 90% of respondents stated they felt vulnerable to insider threats, while 66% said they felt that insider threats, either malicious or accidental, were the most likely cyber security risk to affect their organisation.
The FCA’s Cyber and Technology Resilience: Themes from cross-sector survey 2017-2018 report surveyed 296 firms and also noted in its analysis that respondents saw their own people as their biggest risk.
Cyber security training can address common risk areas
In the Insider Threat Report, respondents stated that the following were the most common culprits of accidental insider threats:
- Phishing attempts (66%)
- Unlocked devices (44%)
- Bad password sharing practice (44%)
- Using unsecured Wi-Fi networks (32%)
What’s interesting about these results is that they’re all behaviours and habits that can be addressed with effective cyber security training. While knowledge of best practice often just needs reinforcing, motivating staff to change their behaviours is the key to long-term impact.
Educating staff on why they should adopt safe practices is central to this approach. In Eukleia’s cyber security training courses, we use scenarios and case studies so learners can safely explore the consequences of poor decisions.
While 90% of respondents to the FCA’s survey said they had training in place, no research on the long-term impact of that training exists. Effective cyber security training must be more than a tick-box exercise and form part of a wider programme that supports behaviour change across the organisation.
Firms need to identify and train high-risk staff
While regular employees are seen as the highest risk to organisations according to the Insider Threat report, those with privileged IT access are just behind. This is because those users typically have access to more sensitive data and are therefore a higher risk to the business.
But the FCA’s research notes that firms have difficulty identifying and managing high-risk staff and that even when they were identified, only 46% received additional training.
Providing additional specialised training to staff in high-risk areas should be a key priority for firms looking to further minimise the risk of insider threats.
Increased accountability is needed for senior level staff
While there is a strong focus on the behaviour of frontline staff when it comes to cyber security threats, the FCA’s research also notes that senior staff need to take responsibility for having an overall strategy in place to increase their organisation’s resilience to cyber security threats.
The report notes that firms who are subject to the Senior Managers and Certification Regime (SMCR) often have a clearer structuring of roles and responsibility and ownership of a cyber security strategy, and that “Effective governance at senior levels is essential to creating an environment for effective resilience throughout an organisation, whatever its size”.
Culture change and training is required to minimise the risk of insider threats
The final point of Megan Butler’s speech was that a strong security culture was ultimately the key to organisations developing stronger resilience to cyber security threats:
“By creating a positive security culture you can build a truly resilient business. You can use the eyes and ears of your firm to react and respond to threats quickly (and accurately) and hopefully deal with issues before they ever become an incident. Recognising this success then helps to build and reinforce that secure culture.”
This is a people-centric approach and it requires everyone in the business – from top to bottom – to change behaviours and increase accountability for minimising threats that may face the business.
Cyber security training can play an important starting point in this move for change. But it must be backed up by initiatives and strategies to embed a strong security culture throughout the business.