Upcoming Training

Embracing A Culture of Cybersecurity

Banks look to all staff to assist in mitigating risk

By Hannah Flanders

Cyberattacks are ranked as one of the top threats to banks across the country. As these threats continue to become increasingly sophisticated and prevalent throughout our communities, bankers are looking to mitigate the risk for the safety of both their institution and all customers served. As such, administrators — including members of the human resources (HR) department — have been tapped to take on a new role alongside the information technology (IT) department to protect the bank from falling victim.

Prioritizing Cybersecurity

According to Proofpoint’s State of the Phish survey, approximately 79% of U.S. organizations reported at least one successful phishing attack in 2021. As cybercrime continues to rise — costing on average over $1 trillion a year around the world, as highlighted in a report published by McAfee Center for Strategic and International Studies — it is critical for the success of banks across the country that they establish a culture of cybersecurity.

In the American Bankers Association’s (ABA) Banking Risk and Compliance Management Outlook for 2023, surveyed bankers identified cybersecurity and IT risk to be, overwhelmingly, the top risk priority for the 18 months ahead. With the use of online banking and digital payments skyrocketing, and employee negligence being cited as one of the top reasons banks are put at risk — Proofpoint's survey highlights that around 27% of employees believe that their organization/IT department will take care of any mistakes. However, as the cost of cybercrime continues to become more expensive for impacted organizations each year, finding ways to educate both consumers and employees of the cyber risks they face will not only help protect information from being compromised, but save banks from contributing to the astounding losses reported by financial institutions each year.

The Federal Bureau of Information's (FBI) Internet Crime Report highlights that in 2021, Wisconsin totaled over $51,800,000 in victim losses. By taking proactive steps in both their cybersecurity protocols and training, banks throughout the state will have the opportunity to save the organization, and their customers, from substantial loss.

While banks make strides to incorporate risk mitigation — such as integrating multifactor authentication (MFA), a bare minimum in preventing bad actors from gaining access to accounts with greater privileges, and following regularly updated guidance from the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (FRB), and the Office of the Comptroller of the Currency (OCC) — into their procedures, those seeking to optimize their efforts are looking beyond their IT staff for assistance.

Team Effort

Establishing a culture that embraces cybersecurity begins from the top and requires uniting members throughout various departments. According to Marsh McLennan, a leading professional services firm in risk, strategy, and people, “a robust cybersecurity culture starts from the top of the organization and involves continuous communication and training for leaders across all key functions.” The firm highlights that, as of 2019, nearly 90% of all organizations only included InfoSec/IT, C-suite, risk management, legal, and finance professionals in the management of cyber risk.

“Cyber defense is a team endeavor, not just an IT or a management one,” emphasizes Rob Foxx, director – InfoSec and IT audit services at FIPCO. “Threats apply to all parts of an enterprise, as should defense.”

The Cybersecurity and Infrastructure Security Agency (CISA) highlights that HR professionals play an integral role in detecting, deterring, and mitigating threats by screening candidates prior to employment, managing secure information, and regularly communicating policies.

When HR professionals have a seat at the cyber risk management table, banks not only gain a risk-conscious ally, but also ensure that HR professionals throughout their organization have a strong understanding of the cyber risk policy they utilize in their own day-to-day operations. Additionally, ensuring that the HR team is abreast of the latest cyber risks and mitigation procedures is critical so that said information can be communicated with all staff members.

Playing A Part in Protection

As the U.S. financial sector continues to prioritize cybersecurity — regularly spending up to $3,000 per employee on ongoing cybersecurity education, according to the McAfee report — ensuring that every employee is making the most of their training, testing, or coaching and remains vigilant against all threats to the organization is critical for the safety and security the institution and its customers.

  • The Employee Lifecycle

Of course, HR plays a substantial role in the onboarding and offboarding process to evaluate the quality of incoming employees and ensure that all former staff are no longer granted access to confidential company data upon their departure. Furthermore, given the close ties to all staff members, HR can play an important role in clarifying policy, providing resources, and working behind the scenes to recognize and anticipate the potential information security issues, highlights the Society for Human Resource Management (SHRM).

  • Training

Although cyberattacks continue to cause headaches for businesses across the country, only 64% utilize organization-wide training, according to Proofpoint’s 2022 survey. Training, which is usually administered by the IT department or virtually, has the potential to be strengthened by HR’s involvement. In taking a human-centric approach that emphasizes how all staff members — administrative through executive leadership — play a role in the security of the institution, employee morale is heightened.

Additionally, because of HR’s close connection to staff throughout the bank, this department has the ability to emphasize and enforce the importance of practicing good cyber habits and encouraging training from the start. HR staff will also notice those who do not attend training, regularly fail simulated tests, or display non-compliance with cyber protocols. From there, action can be elevated beyond coaching from IT staff or managers.

“A significant amount of malware is fileless and exists only in active memory of a computer,” highlights Foxx. “While the next generation of antivirus has the ability to detect more activity than older versions, fileless attacks are just the beginning, and these tools can now detect abnormal user, host, and network activity. Ensuring your team is on the same page is a critical component in mitigating these attacks.”

  • Coordinating of Cybersecurity Requirements

In partnership with the IT department, HR should ensure that there are well-documented policies, standards, and best practices for not only averting attacks or breaches, but also for reporting attempted or successful cybercrimes. Throughout their day-to-day tasks, HR professionals are expected to adhere to the organization’s procedures and guidelines as well as communicate this information with staff. Understanding the various protocols, exploits, tools, and resources fraudsters utilize can help members of HR in assisting their staff to build confidence in mitigating a cyber risk. At the very least, Foxx adds, bankers should adhere to cyber security frameworks such as the NIST Cybersecurity Framework or ISO 27001 certifications, which assist organizations in gaining direction and highlighting areas of need.

As more aspects of our daily lives digitalize, and cybercrime and attacks become a regular and unfortunate normality across the banking industry, the need to secure sensitive data has become a widespread effort. It is critical that leaders look throughout their staff for unique perspectives and opportunities to educate. Establishing a culture of cybersecurity could be the difference between a secure and a compromised institution.

Cyber defense is a team endeavor, not just an IT or a management one. — Rob Foxx, director – InfoSec and IT audit services, FIPCO.