Other parts of this series:
In the first two parts of this series, we’ve addressed how critical it is for financial services (FS) firms to reboot their approach to cybersecurity. In the face of disruptive cyber attacks, FS firms will need to focus more on their people and reprioritise their investments. In order to accomplish that, a major shift in culture and mindset is required.
So, how does a financial services firm go about changing hearts and minds to achieve cyber resilience? Learning from the success of others helps. Accenture worked with one multinational corporation on a change intervention approach. The program resulted in raised visibility of information security to the executive committee and the board. With an increased awareness and healthy concern about identity theft and fraud (87 per cent), the vulnerability to phishing attacks reduced from 36 per cent to a mere eight per cent.
In another pilot program with a global banking group, Accenture helped the company define a cybersecurity human behavioural index (CHBI) of its workforce, as well as create a measurement strategy to identify the impact of the pilot. The program approach focused on defining cybersecurity principles of the banking group and merging them with digital skills and specific behaviours.
To build a culture of cybersecurity awareness, FS organizations should view state-of-the-art cybersecurity as an organisational mindset — one capable of continually evolving and adapting to counter changing threats. To foster a culture of cybersecurity and digital trust, leaders in FS must emphasize an adaptive, evolutionary approach to addressing all aspects of security on an ongoing basis.
The importance and value of understanding how employees behave and how certain behaviours lead to cybersecurity risk cannot be overstated. FS leaders looking to protect their enterprises from potential cyber attack need to be prepared to deal with both the malicious insider and the unwitting victim of phishing. In order to mitigate cyber risk, FS firms need to apply the following behaviour change approach:
- Be clear and pragmatic about your FS firm’s cybersecurity principles and the behaviours you want your employees to display,
- Build a reference database for all skills, behaviours and principles for cyber resilience,
- Increase information security campaigns and messaging,
- Use peer networks to reinforce mindsets and behaviours,
- Align rewards and recognition. Remove processes and metrics that encourage or allow the wrong cybersecurity behaviours,
- Don’t just rely on rules to move employee behaviours, appeal to the emotional and purpose, as well,
- Embed new behaviours into HR processes,
- Align organizational structure.
Conventional wisdom regarding behaviour change would tell us that just making a business case is enough to drive change, or that telling people what to do, how and why should be sufficient. But new wisdom tells us we need both rational and emotional reasons for change and that leaders in FS need to let the workforce make their own connections.
Cultural change does not come easy, but sometimes it is necessary for the safety of all. FS firms that make the cultural leap will be the ones keeping their business interests and their customers safe in the face of cyber threats.
To learn more, register to download the report: Building Confidence: Solving Banking’s Cybersecurity Conundrum
In March, Accenture Security’s Sanjeev Shukla wrote an excellent blog series on how to bridge the cybersecurity perception gap: Cybercrime: Time for a New Approach.
We’ve also discussed security and privacy in relation to open change ecosystems at our Change Director Forum last month. Coming up in September, our People Innovation Forum, co-hosted with Peter Cheese from the CIPD, will address the latest on this topic, as well. If you are interested in participating, please contact firstname.lastname@example.org or email@example.com.