FINAL WORD
“
TESTING EMPLOYEES’
AWARENESS, KNOWLEDGE AND
TECHNICAL CAPABILITIES . . . CAN
HELP ENTERPRISES DETERMINE
WHERE RESOURCES WOULD BE
BEST FOCUSED, TO MITIGATE THE
COLLECTIVE RISK.
cyphers, expired and self-signed certificates,
and putting patching protocols in place so
vulnerabilities are addressed immediately, not
in the weeks and months after detection.
Getting employees thinking harder
about cyber-risks
Ease of use and significance are two factors
that determine the uptake of cyber hygiene
practices. That is why the focus should be
on getting user buy-in and user compliance.
The term cyber hygiene was coined about a
decade ago to describe two things:
1. The practices users should follow when
online, to reduce the likelihood of systems
being compromised or corrupted by hackers,
cybercriminals and accidental data breaches.
2. The regular security processes enterprises
should implement to keep their ICT
infrastructure secure.
The aforementioned are critical to achieving
a robust cybersecurity posture and presents
an accessible way to think about what may
be pressing issues.
However, a notable challenge is getting
employees in financial institutions to
think in the same way and reinforce their
commitment to safer cyber practices. As part
of raising awareness, it would be helpful to
spell out exactly what rigorous cyber hygiene
consists of, rather than merely providing
employees with a list of dos and don’ts.
The SAFET-Y acronym represents a simple
way to quantify the vulnerabilities they face.
Typically, they encompass five key areas:
• Storage and device hygiene
• Authentication and prevention hygiene
• Facebook and social media hygiene
• Email and messaging
• Transmission hygiene
Additionally, institutions should provide
employees with examples pertaining to reallife
work situations, specific to each area of
vulnerability identified above.
Then, identify the systems to use, that will
increase the likelihood of them following
rules and incorporating good cyber hygiene
into their modus operandi.
Testing employees’ awareness, knowledge
and technical capabilities – and their current
utilization of those capabilities – can help
enterprises determine where resources would
be best focused, to mitigate the collective risk.
How Machine Learning and Artificial
Intelligence can help
To fight against cyberattacks, Machine
Learning (ML), allows for augmented
analytics to help security staff decide what
to investigate, detect low-and-slow attacks
that defenses have missed and gain enough
time to explore serious problems.
Crucially, Machine Learning allows finance
organizations to recognize fraudulent
behaviors, to look out for post-breach
behaviors and indicators of compromise.
The attack surface is enormous, and there
are a million ways that organizations can
be breached. Machine Learning behavioral
tools can help to detect these suspicious
behaviors so that organizations are always
one or two clicks away from being able
to determine if something requires an
incident-response scenario.
Meanwhile, for IT security teams, good
network hygiene is about staying on top of the
basics. This means eliminating the use of weak
Financial institutions stand the best chance
of achieving cyber hygiene if they make
it their mission to teach their workforce
about important cybersecurity behaviors,
why they matter and the implications
for themselves and the business if these
practices are not rigorously adhered to.
Finance organizations that neglect raising
awareness may find themselves in a
situation equivalent to that of a café owner
ordering their employees to wear gloves
without explaining the rationale, only to
observe them blithely moving from food
prep to bin duty and back again, while
wearing the same pair of latex.
Protecting the enterprise by
empowering employees
While cyber hygiene is an accessible term
for users, it is not necessarily helpful unless
employers explain its importance and
get employees to take ownership of their
behavior when handling sensitive financial
data, applications and other resources.
Raising awareness of cyberthreats and
the cascade of consequences following
an incident can aid in understanding the
necessity of security measures and increase
willingness to work together to reduce risks
to the enterprise. •
84 INTELLIGENTCIO www.intelligentcio.com