IT Risk: Best Practices for Employee Security Awareness Training at Your Financial Institution

What comes to mind when you think about cyberattacks in banking? Shadowy figures penetrating a financial institution’s network in an elaborate scheme that involves an unmarked van? Criminal masterminds slipping into a branch to plant secret surveillance devices?

Believe it or not, cybercriminals don’t take cues from Oceans 11.

As many as 91% of all cyber breaches begin with a phishing email, according to a study from Deloitte. That’s right – more than 9 in 10 successful cyberattacks start when an employee clicks a link in a malicious email.

Cybercriminals exploit our greatest vulnerability – our trust in others. Management and security experts at financial institutions need to take this into account, devoting time and energy to ensuring employees understand the cybercriminal toolkit. That makes employee security training essential for all financial institutions. 

Employee security awareness training at financial institutions is as important – if not more important – than the strongest firewall.

Social engineering: banking’s greatest cybersecurity threat

When two former fraternity brothers from Florida State hacked into JP Morgan’s computer systems in 2014, they compromised the data of 76 million American households. Their efforts earned them a Wikipedia entry.

How did they break down the megabank’s wall of cyber defenses?

They accessed the login credentials of a current employee.

Scattered Spider wreaked havoc on MGM Casinos and Resorts in 2023. The gaming giant lost millions when cybercriminals shut down its computer system for several days.

How did a company worth billions fail to protect itself from such an attack? MGM used third-party technology providers as well. One of these vendors, Okta, provided MGM with cloud-based identification software.

Related: How to Review Critical Vendors' Cybersecurity

Masquerading as an employee from Okta, a hacker simply called up the vendor and obtained credentials that allowed them to access MGM’s systems. Vishing attacks, which deploy tactics borrowed from traditional phishing schemes, work even better than email.

A combination of “phishing” and “voice,” vishing enables cybercriminals to create a sense of urgency. These types of attacks are getting more dangerous due to the use of AI to spoof people's actual voices.  Employees need training to identify bad actors across various communication channels – email, text, phone, etc. – and understand their institution’s policies and procedures for credentialing and information security.

Many revert to the cliché that cybercriminals are getting smarter. But how much intellect does it take to call a company and pretend to be someone else? One of the infamous JP Morgan hackers worked as a door-to-door kitchen knife salesman before perpetrating one of history's largest cybercrimes.

Related: Cybersecurity Breaches: How to Protect Your FI

In a digitally connected world, cybercriminals benefit from more points of entry into an institution’s IT system. Hackers might be smarter now, but more opportunities exist to play on human vulnerabilities. These door-to-door knife salesmen depend on employees giving them the information they need to carry out attacks.

Creating a cybersecurity awareness training program at your financial institution

Bank employee security awareness training is critical as financial institutions seek to guard against socially engineered cyberattacks.

Training breaks down across three core areas:

• The content of your employee cybersecurity training program. Employees need comprehensive training on cybersecurity threats. Whether your institution outsources employee cybersecurity training to a third party or you perform it in-house, it should cover privacy, password management, and social engineering strategies. Quality cybersecurity training for employees is modular, breaking down necessary information into smaller, manageable sections to make it more engaging and effective.

• Simulated phishing attacks that expose employee vulnerabilities. Phishing simulations involve sending fake emails to test if users identify them as threats. Remember the statistic from earlier: more than 90% of cyberattacks begin as email phishing schemes. If your employees cannot identify and report a suspicious email, they require additional training. Assessing employee vulnerability to the most common cyber threat is essential to your institution’s information security.

• Analysis and reporting of employee participation in cybersecurity training. How is your institution tracking employee participation in cybersecurity training? Do your employees find the training helpful? The cybersecurity experts at your financial institution should use the data from training to refine your program and further educate employees.

Related: Risk Management Tips for Avoiding Ransomware

The benefits of cybersecurity training for financial institution employees

Obviously, the main goal of cybersecurity training for employees is to reduce the likelihood of a breach. Most cyberattacks are caused by human miscalculation and error, so equipping your people with the tools to identify phishing attempts and security threats is essential.

But there are other benefits as well:

1. Employees can report data theft and support existing IT security systems. Institutions cannot rely on technology alone to protect them from cyberattacks. Even the most advanced cybersecurity infrastructure will not repel every attack, and human oversight and employee participation go a long way in protecting your bank.
   
2. Consumers have more confidence in institutions with strong cybersecurity controls, and employee education is a vital control. The reputational damage of a cyberattack is immense. 
3. Training bank, credit union, and other financial institution employees in cybersecurity promotes a risk-aware banking culture. When institutions ensure their people understand the common ways criminals penetrate IT systems, they take a more active role in preventing attacks.
   
4. Regulators look favorably on financial institutions with robust employee cybersecurity training programs. The FFEIC Cybersecurity Resource Guide for Financial Institutions – updated in November 2022 – recommends tabletop exercises and other employee training programs for increased cyber resilience.

Implementing and managing employee cybersecurity awareness training

Once you’ve chosen the best cybersecurity training program, you must ensure your employees participate. If you’ve ever sent out a company-wide email that asks employees to complete a task, you know this is easier said than done.

Related: How to Reduce the Cost of a Data Security Breach at a Bank or Credit Union

Tracking and documenting completion rates, soliciting feedback on your program, and engaging employees is simple with the right employee engagement software. Financial institutions with internal communication and information management systems are best poised to prevent cyberattacks because they have documented processes and procedures for training.

When financial institutions understand their greatest cyber vulnerability is their people, they can take the necessary steps to protect themselves from this risk.

Streamline your team's cybersecurity training!