This was valued at $2.7 billion in 2018, up from $1.7 billion in 2017. It now covers every firm in the BFSI sector. In fact, just in the financial services firms, its impact increased by almost 40% between 2014 and 2017.
We aren’t talking of any hot, new technology or a viral trend. These are data related to cybercrime. As you can see, cybercrime is all pervasive in today’s world. Let’s spend a bit of time to learn more about how we can help from the training angle.
Any crime that involves a computer or network is a cybercrime. With our increasing dependency on computers, internet and modern technology, the incidence of cybercrimes has gone up multifold. Today, it’s hard to find a device that’s not connected to some server or the other. Therefore, no system is immune. Not your laptop, your mobile, your smart TV, or your Alexa controlled lighting system. So, when one device is breached, it puts all devices hooked to the server at risk. Thus, the incentive to stop such breaches from happening should be of utmost importance to firms. They can end up losing millions in theft, and not considering the intangible costs of reputational loss due to such attacks.
Cybercriminals can either target systems or people through different tactics such as Denial of Service (DoS) attacks or phishing attempts.
To prevent such crimes from targeting them, companies need to use both technological as well as human safeguards. These can manifest in different ways. In this blog, we will focus on safeguarding your employees from cybercrimes through training interventions.
Deploying Effective Learning Solutions
Cybercrime affects the BFSI industry more than any other industry – and for good reason. A good majority of cybercrime is basically online theft, so what better place than BFSIs?
Financial services industry too is acutely aware of this and deploys various IT solutions to safeguard itself from such attacks, but many employees remain blissfully unaware of these risks and the threat they pose. To be able to prevent such threats from becoming real, BFSI organizations need to have robust training programs.
While the right learning solution would have to be tailored specifically for your organisation, there are some best practices that you can follow.
Get into Campaign Mode
The training cannot happen in isolation or in random interventions. It should be well-planned and well-spaced. You can launch an organization-wide awareness campaign. Give it War on Cyber-Crime or such fancy name. There can be poster contest, caption contest, etc. Create a forum in company’s intranet forum (or Facebook page). Assign points for each. And in this, add eLearning as one of the components. This would create a purpose and excitement. When they are excited, they’d not look at eLearning as a chore to be dispensed with.
Now, set target score from all these activities. (there’s something else we can do with scores, which will be explained below.)
Whoever scores beyond a threshold will receive fancy titles, say Cyber Warrior, Cyber Cop, etc. Create a nice certificate with the frame that they can keep it on their desks.
Tailor the Learning for Each Role
Across your organization, different roles have access to different data and consequently, face different levels of risks. Identify best practices and prevention strategy for each role and include it in the training. Of course, you can’t create separate training for each role, but you can include top-level information for all roles in a common awareness program and then include separate role-specific interventions. This role-base intervention can be initiated by their team leads, or division heads depending on the size of the organization. However, this must be managed by L&D, else it would swiftly end up becoming a mere formality and lose its vigor.
Simply put, separate the general context-setting information about cybercrimes and the role-specific training. The general context-setting can be common organization-wide, but the role-specific training must only be provided to the relevant stakeholders.
Scenarios, Scenarios, Scenarios!
Scenario-based learning is the most effective way to teach your employees how to recognize phishing attempts when they see one. One way to make your training unengaging and learner-alienating would be to make it completely didactic, i.e. just providing information. Ditch the page-turner approach and get real.
Understand the various tasks they perform and the various points at which they could cause a potential security breach. Create scenarios around these situations and make them as realistic as possible. Provide your learners with options that they would come across in real-life and give them the chance to make mistakes, albeit virtually. Your learners would end up doing something only because they believe it is the right thing to do – give them the chance to do this and when they do, provide feedback about why that isn’t the right approach and what to do instead.
Gamify to Get Real
Gamification helps greatly in making the training as close to real as possible. When you introduce scenarios in the eLearning, you can gamify it with points. Only, the points can be dollars. So, if a learner prevents an attack (virtually), he or she has saved two million dollars, and so on. This way, at the end of the training program the performance of the learner can be measured by how much money they saved from the marauders.
BFSI employees generally have long working hours. This means that they will only be able to spend a limited amount of time on learning interventions. So, it becomes crucial for you to ensure that the time spent in training is maximized.
In your instructional zeal, do not present a three-hour long eLearning to them and give month end as the deadline for completion. Break down the training into multiple nuggets, each not lasting longer than three minutes. Each nugget can cover one scenario and end up with an attempt to breach and one chance for the learner to prevent. This works like a web series with each episode covering one adventure.
eLearning is a safe space for learners to make mistakes. And they know that too, so some don’t accord the seriousness they would to a real threat. Solution: create a real threat.
That doesn’t mean you arrange some goons to rob your vault! Consider “surprise” interventions – let’s call them Audit-Lessons – to put your learners in situations where they could make mistakes, such as sharing a potential bad email or deploying sophisticated methods to get them to divulge sensitive information. If they fall for the trap, they’d know that they need reinforcing and you an direct them to the right training module.
Comfort zones are important when deploying learning solutions, but sometimes it helps to put them in the Wild, Wild West!
Keep It Regular
Learning is not a one-time activity. It is an ongoing process. Plan frequent interventions and frequent audit-lessons to continually reinforce the idea and to keep the threat alive so that they can remain vigilant. Tools such as refresher modules, just-in-time nuggets, quick reference guides, etc. would ensure that the learning never stops!
Summing It Up
No one conducts bank heists nowadays. These heists take place in the virtual world. Cybercrime is the biggest, and arguably, the only criminal threat BFSI industry faces today. A very successful attack can set you back by a few millions in a minute. And cause irreversible harm to your company’s reputation. You can’t choose shortcuts in preparing your staff members for this threat.
Cybersecurity training is often passed off simply as compliance or regulatory program. But it needs more serious and (indeed) more fun overhaul. Ensure you consider the points discussed in this blog seriously to upgrade your L&D strategy. When the next attack is successfully prevented by your staff, and your organization saves millions of dollars, you might thank this blog for the help.