Building Cyber Hygiene in Financial Services is Imperative; Here’s How to Do It

Financial services remain one of the most breached industries. Not only does this sector experience a huge number of attacks but to add insult to injury, those breaches are getting more expensive. The financial sector has the second-highest average cost per breach (health care takes first place), according to the 2022 IBM Cost of a Data Breach Study. Financial institutions paid $5.97 million on average for each breach.

Across sectors, the cybersecurity skills gap is impacting companies in a significant way. There’s an estimated shortage of 3.4 million cybersecurity professionals. And what’s more, a survey by Fortinet found that 68% of business leaders believe unfilled IT and security positions are contributing to the number of breaches. That means the industry that most needs strong cybersecurity must compete for a smaller number of professionals who can fill their vacant job slots.

While there’s no substitute for skilled cybersecurity experts, one thing financial services organizations can do is shore up their overall cyber hygiene training for everyone, not just IT.

Cybersecurity is everyone’s job

FSIs must upskill their employees in order to help make up for the global shortage of cybersecurity workers. Regardless of their position, all employees require cybersecurity awareness training and ongoing updates on the most recent dangers and attack methods.

A heavy emphasis on awareness and training is essential for a successful cybersecurity strategy. This entails educating all staff members on the value of continuous delivery, collaboration and cybersecurity, as well as giving them the instruction and assistance they need to do their duties effectively.

To make sure that their teams have the knowledge and abilities necessary to succeed, financial services organizations must also adopt processes and technologies that foster collaboration and continuous improvement. They must also be prepared to allocate budget to ongoing training and development.

The idea of cyber hygiene is surprisingly straightforward: It entails a number of measures and practices that, when consistently followed, keep us safe and our devices functioning as they should. But with distributednetworks, ubiquitous IoT, the growth of multi-cloud infrastructures and an increasing reliance on SaaS application usage, that's easier said than done. The risks are now higher than ever due to the convergence of IT and OT, as well as the sheer quantity of outdated devices that can’t be taken offline since they control or monitor key systems round-the-clock.

What cyber hygiene awareness training should entail

Make sure all employees receive thorough training on how to recognize and report questionable online activity, practice safe online behavior, and, as of late, how to safeguard their home networks and personal devices. This training should happen both during the hiring process and on an ongoing basis throughout the employment life cycle.

CISOs can create a baseline of protection at the most exposed edge of their network to help keep critical digital resources secure by training people — especially remote workers — on how to maintain cyber distance, be aware of suspicious requests, and adopt fundamental security tools and protocols. Online education and expert-led workshops may be a part of this training.

Before assigning power users or allowing privileged access to critical digital resources, it's also vital to conduct background checks. By going the extra mile, organizations can make knowledge-based choices that will automatically reduce the risks posed by insider threats. As a financial services institution, this is likely already part of your on-boarding process and overall best practices, but it can’t be overstated.

Learning from others is also an important aspect of cybersecurity education. The CISOs of FSIs must be aware of what is happening beyond their own borders. To assist FSIs in learning about the most recent indicators of compromise (IOCs) and tactics, techniques and procedures (TTPs) being used, the Digital Operational Resilience Act (DORA) regulations in Europe permit information sharing.

Cyber hygiene is good security

The financial services industry remains one of the biggest targets for bad actors, but it continues to be plagued by the same cyber skills gap impacting sectors across all industries. As the cyber environment becomes increasingly complicated, banks are subject to new rules and compliance requirements. Financial services firms are regarded as critical infrastructure in many countries, including the United States, and their collapse would be severely detrimental to those countries’ economies.

At the same time, the skills gap is having a significant impact on financial services firms’ ability to fully protect their networks and data. That's why taking a strong stance on cyber training for all is essential. Use the recommendations above to give all employees every opportunity to become effective members of your cyber security team.

About the author
Michael Brown, field CISO for financial services at Fortinet, is a global security evangelist and advisor, helping financial services firms implement digital transformation while enhancing security and resilience. He specializes in cybersecurity regulations, ESG impact, SD-WAN, SD-Branch, zero trust, low-latency electronic trading security, SASE, and multi-cloud solutions.