Beating insider fraud requires a new culture
Cybercriminals continue to target banks and financial institutions worldwide as employees prove to be a weak link in the security chain no matter what technology solutions are put in place.
Human error is often found to be a contributing factor of a security breach, if not the direct source. According to the 2020 Verizon Data Breach Investigations Report, miscellaneous errors were found vying closely with web application attacks for the top cause of breaches affecting the financial and insurance sector. A secretary may forward an email to the wrong recipient or a system administrator may misconfigure firewall settings. Perhaps a user clicks on a malicious link. Whatever the case, the outcome is equally dire.
Business leaders have come to understand the role that people play in cybersecurity to establish a strong security culture within their own organizations. In fact, many leaders across the globe realize the importance of establishing a strong security culture not just because they fear the impact of a data breach, but more as a fundamental tool to the overall success of their organization in creating customer trust or enhancing brand value. Yet, the term lacks a universal definition, and its interpretation varies depending on the individual.
In one survey of 1,161 IT decision makers, 758 unique definitions were offered, falling into five distinct categories. While all are important, these categories taken apart only feature one aspect of the wider notion of security culture.
With an incomplete understanding of the term, many organizations find themselves inadvertently overconfident in their actual capabilities to fend off cyberthreats. This speaks to the importance of building a single, clear and common definition from which organizations can learn from one another, benchmark their standing and construct a comprehensive security program.
In an effort to measure security culture through an objective, scientific method, the term can be broken down into several key dimensions.
Attitudes. Formed over time and through experiences, attitudes are learned opinions reflecting the preferences an individual has in favor of or against security protocols and issues.
Behaviors. The physical actions and decisions that employees make which impact the security of an organization.
Cognition. The understanding, knowledge and awareness of security threats and issues.
Communication Channels adopted to share relevant security-related information in a timely manner, while encouraging and supporting employees as they tackle security issues.
Compliance. Written security policies and the extent that employees adhere to them.
Norms. Unwritten rules of conduct in an organization.
Responsibilities. The extent to which employees recognize their role in sustaining or endangering their company’s security.
All of these dimensions are inextricably interlinked; should one falter, so too would the others.