Megan Butler, the FCA’s Executive Director of Supervision – Investment, Wholesale and Specialists, recently gave a speech advising firms that cyber security is a people risk, not just a technology risk. So what kind of risks do staff pose and what role does cyber security training play? We look into the research.
Organizations See Frontline Employees as a Key Risk
Recent research suggests organizations recognize that their own staff pose the biggest cyber security risk. The 2018 Insider Threat Report surveyed 472 cyber security professionals to gain insights into how organizations view insider threats (defined as security issues arising from people within the organization).
More than 90% of respondents stated they felt vulnerable to insider threats, while 66% said they felt that insider threats, either malicious or accidental, were the most likely cyber security risk to affect their organization.
The FCA’s Cyber and Technology Resilience: Themes from cross-sector survey 2017-2018 report surveyed 296 firms and also noted in its analysis that respondents saw their own people as their biggest risk.
Cyber Security Training Can Address Common Risk Areas
In the Insider Threat Report, respondents stated that the following were the most common culprits of accidental insider threats:
- Phishing attempts (66%)
- Unlocked devices (44%)
- Bad password sharing practice (44%)
- Using unsecured Wi-Fi networks (32%)
What’s interesting about these results is that they’re all behaviors and habits that can be addressed with effective cyber security training. While knowledge of best practice often just needs reinforcing, motivating staff to change their behaviors is the key to long-term impact.
Educating staff on why they should adopt safe practices is central to this approach. In LEO GRC’s cyber security training courses, we use scenarios and case studies so learners can safely explore the consequences of poor decisions.
While 90% of respondents to the FCA’s survey said they had training in place, no research on the long-term impact of that training exists. Effective cyber security training must be more than a tick-box exercise and form part of a wider program that supports behavior change across the organization.
Firms Need to Identify and Train High-Risk Staff
While regular employees are seen as the highest risk to organizations according to the Insider Threat report, those with privileged IT access are just behind. This is because those users typically have access to more sensitive data and are therefore a higher risk to the business.
But the FCA’s research notes that firms have difficulty identifying and managing high-risk staff and that even when they were identified, only 46% received additional training.
Providing additional specialized training to staff in high-risk areas should be a key priority for firms looking to further minimize the risk of insider threats.
Increased Accountability Is Needed for Senior-Level Staff
While there is a strong focus on the behavior of frontline staff when it comes to cyber security threats, the FCA’s research also notes that senior staff need to take responsibility for having an overall strategy in place to increase their organization’s resilience to cyber security threats.
The report notes that firms who are subject to the Senior Managers and Certification Regime (SMCR) often have a clearer structuring of roles and responsibility and ownership of a cyber security strategy, and that “Effective governance at senior levels is essential to creating an environment for effective resilience throughout an organization, whatever its size”.
Culture Change and Training Is Required to Minimize the Risk of Insider Threats
The final point of Megan Butler’s speech was that a strong security culture was ultimately the key to organizations developing stronger resilience to cyber security threats:
“By creating a positive security culture you can build a truly resilient business. You can use the eyes and ears of your firm to react and respond to threats quickly (and accurately) and hopefully deal with issues before they ever become an incident. Recognising this success then helps to build and reinforce that secure culture.”
This is a people-centric approach and it requires everyone in the business – from top to bottom – to change behaviors and increase accountability for minimizing threats that may face the business.
Cyber security training can play an important starting point in this move for change. But it must be backed up by initiatives and strategies to embed a strong security culture throughout the business.