Banks need to train their employees on cybersecurity

•     Cybersecurity threatens business continuity and is now more a business issue than a information technology issue

• At Citigroup, about 360,000 customer accounts were compromised and the bank has been forced to reissue 218,000 new cards

•Under Basel II norms, banks with better cybersecurity preparedness will need less capital

•    Helps in compliance

•There has been a working committee recommendation made to make cyber security audit mandatory by appropriate amendment in the listing requirements under the Companies Act

Reserve Bank of india has already mandated that the banks have a board approved cyber security policy and cyber security policy be distinct from information security policy

•    Makes implementing policies easier

• Employees gain information uniquely relevant to current bank risks and management concerns

•    Builds confidence in the market

• Employees are able to better explain security features

• Reduces cyber insurance premiums

•  Fertile ground for creating new cybersecurity professionals who are scarce in the industry

• Help future employees remain aware  of the implications of digital activities they undertake

•According to the PwC survey little less than half (46%) of the respondents said that current employees expose their organization to security incidents.

•   Confidently handle customer queries on security

•Various banking firms are spending millions of dollars for educating customers about adhering to the security principles. Trained employees can ascertain the effectiveness from the first touch point

•   Understand processes and policies regarding cybersecurity

•Nearly 34% respondents held former employees responsible for security incidents. This indicates that the companies need to establish greater rigor in their exit related processes and make sure that all accounts and access of the users are deactivated upon separation

•  Helping in detection and response against any threat in a timely manner

•Ponemon, leading research company in privacy and security, recently calculated the effectiveness of anti-phishing training programs. The least effective training program still had a seven-fold return on investment

•Democratize knowledge on cybersecurity so that some employees do not misuse their superior knowledge

Suggestions:

To start with, it should be mandatory for the banking and financial markets professionals to go through an initial training in cyber security. It should be part of the on-boarding process. Also, they should be tasked with propagating this knowledge to the customers. The problem is that with so many touch-points, it's like leaving a gate open for an intruder, it proper checks and balances are not put in place. 

There should be awareness workshops for the higher management teams in the banks. 

At a more technical level, a rigorous, skill based training for the IT professionals should be put in place. Holistic frameworks propagated by institutions such as National Institute of Standards and Technology (NIST) should be put in practice. Cyber security should have all the areas such as initiate, protect, detect, respond and recover covered. 

The magnitude of potential threat is too large to be ignored. RBI has been very proactive in its directives but its for the banks to follow.