One of the biggest concerns for any financial institution is how to keep your consumers’ data and money safe without restricting what they can do with their money. In this blog, our CIO, Jonathan Mizzi, lays out the truth about setting up a cybersecurity culture, what it means for your business, and why you should invest in stronger cybersecurity from the outset.
The digital fortress is something we often refer to when using technology to build a secure system but there is more to cybersecurity than the tech itself. How does the team feature as part of keeping the organisation safe from outside threats?
Effective cybersecurity goes beyond technology; it involves the entire team. The human factor plays a crucial role in threat mitigation. Providing training, awareness, and adhering to security policies is vital. Team members must be vigilant and collaborate to identify and address vulnerabilities, ensuring the organisation’s overall security.
There is no such thing as ‘safe enough’. How do you go about keeping the team aware of the constant possibility of an attack? How do you prevent complacency?
Here at FIL, we regularly communicate the evolving threat landscape and share real-world examples. This is done by conducting security awareness training and simulated phishing attacks amongst others. Encouraging a culture of continuous learning and emphasising that cybersecurity is an ongoing process, ensures that the team remains alert and proactive against potential threats.
There are the threats we know about and there are those that evolve and appear all the time as novel ideas. What should organisations do to keep themselves up to date with the latest threats?
With an evolving landscape, organisations should establish a robust threat intelligence program to be constantly aware of emerging threats. This includes monitoring industry reports, collaborating with cybersecurity communities, and subscribing to threat feeds. Regularly assessing and updating security measures, conducting vulnerability assessments, and staying informed about evolving attack techniques are key to adapt and defend effectively.
What are some effective ways to get employees intrinsically motivated and actively participating in cybersecurity rather than simply complying with mandatory rules? Does it help if leaders demonstrate the importance of security through their own behaviours, setting the right example?
Fostering an intrinsic motivation among employees is the aim for those working in Cybersecurity. This can be achieved by offering education and training which is informative and by explaining the benefits of cybersecurity even in one’s personal life.
As they say, one should lead by example. The business leaders should exemplify security practices by demonstrating their commitment to a culture of security. Employees should be encouraged to be part of the cybersecurity solution by seeking their input and ideas. It is crucial to keep the employees engaged and provide them with regular feedback on their contributions.
Should there be an open dialogue around security so that the idea of safety is part of everyday operations rather than seen as the sole responsibility of the security department?
In a business setup, open dialogue should be the norm and around security it is imperative to integrate it into everyday operations. Security is everyone’s responsibility. Encouraging communication and awareness throughout the organisation helps employees recognize potential threats, report issues, and take proactive measures. It fosters a culture of security where safety becomes a shared concern, not solely the domain of the security department.
Having your team on board is an essential part of cybersecurity but your clients, suppliers, and contacts can also contribute to the safety of the entire chain of communication. Is there anything that can be done to educate a wider audience?
Absolutely. Educating a wider audience, including clients and suppliers, is crucial for enhancing the overall cybersecurity of an organisation. One should consider creating and sharing educational resources, conducting workshops or webinars, and providing clear guidelines on secure communication practices. Emphasising the importance of their role in the security chain and how their actions can impact the organisation is crucial. One needs to push them to adopt strong security measures, such as encryption and secure communication protocols, and regularly update their systems. By fostering a collaborative and informed approach, the entire network of stakeholders can collectively contribute to a safer digital environment.
Having said that, supply chain risk management (SCRM) is being enforced at a European level by the introduction of Digital Operational Resilience Act (DORA) which is targeted to come into effect in January 2025.
Can cybersecurity be positioned as a business enabler, providing more comprehensive risk management, rather than a constraint? Would this be effective in promoting a culture of security as one of your benefits instead of a restriction?