On September 22, ThreatReady Resources presented to the Massachusetts Bank Internal Auditors about filling a critical gap in risk management today. Peter Schablik, Partner at CohnReznick LLP, led off by acknowledging the enormous challenges internal auditors face and the risks posed by cybercriminals, who are perpetrating ever more targeted and sophisticated attacks on financial institutions. Schablik stressed serious issues with the IT and technical security controls designed to mitigate this risk, from shockingly weak physical security to insufficient monitoring and overreliance on technology. The challenge for auditors is to reduce these risks while staying under budget and justifying costs. Schablik outlined steps organizations and auditors can build into their program management to improve security.
Expanding on the cybersecurity threat currently facing companies, Kirsten Liston, ThreatReady Resources’ Director of Product Development, underscored the gigantic size of the problem. Cyber incidents have risen 66% each year since 2009, she said, and the related mitigation and recovery costs are steeply rising. Different types of intrusion criminals use today, such as hacking, phishing, malware, and social engineering, capitalize on innocent mistakes employees make that expose a company’s data. In fact, 95% of data breaches result from human error. These built-in weaknesses, Liston said, are the ones that technology can’t solve.
Liston outlined how typical approaches to training are ineffective when it comes to changing employee behaviors and mitigating these risks. When employees sit through training that asks them to cram in facts and pass a test, brain research shows that half the material is lost from memory just days later, so the material presented doesn’t inform employees’ daily actions. Rather than asking trainees to “check a box” and move on, ThreatReady Resources sets out a new model, one based on brain research and incorporating techniques used by marketers and advertisers to capture attention, influence choices, and change behavior. Training based on this model aims to make cyber-safe actions as instinctive as reaching for a fire extinguisher when faced with smoke and flames.
[button title=”Learn More” link=”/knowledge/brochure/” new_tab=”no”]