Two large banks in the same country experienced a massive series of cyber-attacks. Over the past few years, both banks spent large sums on cyber technology defence tools, threat monitoring and deterrent applications, as well as third party cyber awareness training. Both Boards felt they had done what was necessary to protect their institution and their customers.
As a result of the attacks, one bank experienced massive disruption to customer transactions lasting several weeks, loss of customer data (which quickly appeared on the Dark Web for sale) and a massive fine from the regulator. The other quickly recovered from the initial breach and thwarted several other attacks. Only a few records were stolen, and the regulator applauded them for their quick response.
The difference? A robust cyber security culture in the second bank, which was a senior management priority for the past several years.
Your company culture is either a cyber security strength or hidden risk. Do you know how strong your cyber security culture is?
To enable people, processes and technology to work together, the second bank built a strong cyber security culture by making certain:
Cyber security was a prominent pillar in the company strategy,
The Board fully understood the business risk of cyber security and the importance of culture as a security enabler,
Cybersecurity dashboards were forward looking and included adjustable risk appetite metrics, as well as culture metrics,
The CISO worked closely with the business units to make cyber security culture as an enterprise issue,
The CISO reports to the CEO and the Board,
Senior leaders were constantly role modelling and talking about good cyber behaviour,
The leadership team had up to date information that allows them to manage the cyber security culture,
The CEO took on the role of the ultimate cyber security champion and broke down functional silos to improve collaboration on cyber security.
Which bank are you? Is your cyber security culture robust or a hidden risk?
To learn more about our approach to cyber security, see Cyber Security: What's the Missing Link?