The FCA is encouraging firms to make cyber security training more interactive by introducing mock scams and rewarding sharp employees.
Speaking at the Financial Information Security Network, FCA executive director Nausicaa Delfas said moving toward a 'security culture' was essential to mitigate growing threats to online security.
In commenting on what the industry could do to greater protect itself against malware, she suggested that firms stop using a staff “policy” as the sole baseline for security training. Whilst admitting policy is important, the articulation of what you as a business will be doing, firms should realise that a policy is a corporate piece of paper that is easily forgotten.'
She suggests firms include the introduction of fake phishing scams, which will educate staff who click on them and reward those who avoid or identify attacks, perhaps penalising those who persistently do not spot them. We understand that the FCA are impressed with the number of firms who have started to adopt such approaches.
Perhaps most interesting to me is that the FCA are studying the potential measurement of security culture within an organisation. Sandro and I spent nearly three years trying to get organisations interested in culture in areas other than pure control, so I applaud the idea. The FCA suggest that it is too early to say if this will come to anything, but perhaps by setting key performance indicators and success criteria, firms can begin to start looking at measuring security culture and setting the baseline for improvement in a more quantitative way.
Article by Chris Hollands, a director of TomJak Ltd, a company which specialises in audit training and consultancy