SANS Institute: Employee awareness key to fighting financial security threats

Imagine you receive an email from an unknown sender. It includes unusual language, or even gibberish in the subject line; if you push through your suspicion and open it, there’s a link promising you a free iPad if you click right now. There’s a good chance you realize the link is probably spam, and you delete the email and report it as such. Simple, right? You might think it’s hard to imagine why anyone would click an unsafe link and potentially invite malware into their environment.

Now, imagine that link was more effectively disguised. Perhaps the email sender showed up as your spouse’s name. Maybe it wasn’t an email at all – maybe you saw a routine popup reminding you to update your version of Microsoft Windows. Suddenly, identifying an unsafe link isn’t as straightforward as you thought. In fact, the recent “SANS 2016 Survey on Security and Risk in the Financial Sector” found that ransomware and phishing attacks cause more harm than any other cyberattacks aimed at the financial services industry – and both methods of attack typically require users to click links.

Employee awareness among most valuable security protection approaches

The SANS Institute reports that the most effective security protection technique for combating phishing and ransomware attacks is a direct response: email security monitoring and sandboxing. The close second, however, is employee awareness training and testing. Technology solutions can only go so far to weed out malicious messages and help employees make smart decisions about suspicious links. To approach the source of the problem, organizations need to focus on educating their employees and networks about the threats such messages pose to sensitive data and the company at large, while highlighting best practices to identify and avoid those issues.

Sensitive data protection fuels cybersecurity programs

For 69 percent of organizations surveyed by the SANS Institute, protecting sensitive data from exposure is the No. 1 driver behind every security initiative. This finding confirms the point that data is a company’s most valuable asset, especially in regard to the sensitive information financial organizations manage on a daily basis. Additional drivers include protecting brand reputation and maintaining industry compliance. While these are important goals, financial organizations should be careful to avoid each initiative competing for internal resources.

Efforts to improve data awareness, protection and security within an organization must be unified. By driving data awareness and security initiatives with employee education, as well as direct-response activities to incoming threats, companies can create holistic plans to keep their most valuable assets – their data – safe.

Learn to identify ransomware and protect sensitive data.

  Like This
Andrew Hay

Andrew Hay

With over 15 years of data security experience in various roles inside organizations as well as advising them, Andrew serves as the chief information security officer at DataGravity. He is responsible for the development and delivery of the company’s comprehensive data security strategy. Prior to DataGravity, Andrew was the director of research at OpenDNS (acquired by Cisco) and the director of applied security research and chief evangelist at CloudPassage.