What comes to mind when you think about cyberattacks in banking? Shadowy figures penetrating a financial institution’s network in an elaborate scheme that involves an unmarked van? Criminal masterminds slipping into a branch to plant secret surveillance devices?
Believe it or not, cybercriminals don’t take cues from Oceans 11.
As many as 91% of all cyber breaches begin with a phishing email, according to a study from Deloitte. That’s right – more than 9 in 10 successful cyberattacks start when an employee clicks a link in a malicious email.
Cybercriminals exploit our greatest vulnerability – our trust in others. Management and security experts at financial institutions need to take this into account, devoting time and energy to ensuring employees understand the cybercriminal toolkit. That makes employee security training essential for all financial institutions.
Employee security awareness training at financial institutions is as important – if not more important – than the strongest firewall.
When two former fraternity brothers from Florida State hacked into JP Morgan’s computer systems in 2014, they compromised the data of 76 million American households. Their efforts earned them a Wikipedia entry.
How did they break down the megabank’s wall of cyber defenses?
They accessed the login credentials of a current employee.
Scattered Spider wreaked havoc on MGM Casinos and Resorts in 2023. The gaming giant lost millions when cybercriminals shut down its computer system for several days.
How did a company worth billions fail to protect itself from such an attack? MGM used third-party technology providers as well. One of these vendors, Okta, provided MGM with cloud-based identification software.
Related: How to Review Critical Vendors' Cybersecurity
Masquerading as an employee from Okta, a hacker simply called up the vendor and obtained credentials that allowed them to access MGM’s systems. Vishing attacks, which deploy tactics borrowed from traditional phishing schemes, work even better than email.
A combination of “phishing” and “voice,” vishing enables cybercriminals to create a sense of urgency. These types of attacks are getting more dangerous due to the use of AI to spoof people's actual voices. Employees need training to identify bad actors across various communication channels – email, text, phone, etc. – and understand their institution’s policies and procedures for credentialing and information security.
Many revert to the cliché that cybercriminals are getting smarter. But how much intellect does it take to call a company and pretend to be someone else? One of the infamous JP Morgan hackers worked as a door-to-door kitchen knife salesman before perpetrating one of history's largest cybercrimes.
Related: Cybersecurity Breaches: How to Protect Your FI
In a digitally connected world, cybercriminals benefit from more points of entry into an institution’s IT system. Hackers might be smarter now, but more opportunities exist to play on human vulnerabilities. These door-to-door knife salesmen depend on employees giving them the information they need to carry out attacks.
Bank employee security awareness training is critical as financial institutions seek to guard against socially engineered cyberattacks.
Training breaks down across three core areas:
Related: Risk Management Tips for Avoiding Ransomware
Obviously, the main goal of cybersecurity training for employees is to reduce the likelihood of a breach. Most cyberattacks are caused by human miscalculation and error, so equipping your people with the tools to identify phishing attempts and security threats is essential.
But there are other benefits as well:
Once you’ve chosen the best cybersecurity training program, you must ensure your employees participate. If you’ve ever sent out a company-wide email that asks employees to complete a task, you know this is easier said than done.
Related: How to Reduce the Cost of a Data Security Breach at a Bank or Credit Union
Tracking and documenting completion rates, soliciting feedback on your program, and engaging employees is simple with the right employee engagement software. Financial institutions with internal communication and information management systems are best poised to prevent cyberattacks because they have documented processes and procedures for training.
When financial institutions understand their greatest cyber vulnerability is their people, they can take the necessary steps to protect themselves from this risk.
Streamline your team's cybersecurity training!