Employees across many industries have become familiar with some sort of annual cybersecurity training at their organizations, from watching informational videos to participating in simulated phishing attempts.
For heavily regulated sectors such as finance, these trainings may tick a box for compliance purposes. However, actually making the organization more secure is a different concern.
“Now there’s a realization that, at a user level, security and compliance are not the same thing,” says Ryan Witt, vice president of industry solutions at Proofpoint. “In the actual safeguarding of data and of an institution, security and compliance are two distinct disciplines.”
As malicious actors continue to target financial institutions, role-based cybersecurity training is becoming essential for staff members, whether they’re customer-facing or working in the back office. Training that is relevant to a specific role can help employees develop a better sense of vigilance and scrutiny that will only improve an organization’s security posture.
RELATED: How one company grew IT skillsets with internal training programs.
Why Is There a Need for Role-Based Security Training?
According to a 2024 Proofpoint report, 71% of workers admitted to acting in a way that put security at risk, such as clicking links from unknown senders or sharing credentials with an unconfirmed source.
So, why not just tell employees to reduce risky actions? It’s likely they need to take such risks as part of their job, such as downloading resumes for HR or confirming credentials at the IT help desk.
“They're not doing anything wrong,” Witt explains. "But these trainings need to support them so that they can fulfill their roles and still have safeguards in place. Afterall, they’re the ones who are getting the lion’s share of the attacks.”
Their roles may not be well known outside of the organization, but they may work in vulnerable ways or have access to sellable data that makes them a desirable mark.
Organizations should especially have customized training for the help desk, which malicious actors are more likely to target, Witt adds. It’s common for the help desk to receive requests to reset authentication methods because someone purchases a new phone, for example. How can that help desk employee verify that this is a legitimate request coming from within the organization?
“They’re driven to want to help, and it’s an attribute you really want to see as part of your team, but a threat actor can prey upon that,” Witt says.
Role-based security training should also include those with public personas or visible profiles.
“The bad actors have figured out that not every email address or every person within an organization is treated equally or has the same level of vulnerability,” Witt adds. “There are certain people within those organizations and certain departments that have exponentially higher vulnerability.”
Click the banner below to read more stories from our new publication BizTech: Financial Services.
Effective Approaches to Role-Based Security Training
Rather than creating a massive annual training module that employees are likely to put off until the last minute, Witt suggests scheduling shorter trainings more often.
“We've seen a strong pivot to these bite-sized trainings,” he says. “Sometimes, they even happen in real time, related to a recent cyber event. They’re a quick refresher, making the lessons much more relevant and easier to adopt.”
As the use of generative artificial intelligence and other AI-assisted strategies becomes more common, role-based security training will also need to evolve so employees can take better precautions.
EXPLORE: A new era of digital banking is running on AI technology.
Deepfake videos are a tactic scammers have recently used in their phishing attempts, but Witt says he’s more interested in “shallowfakes,” or content that is changed minutely so that a user may think what is being said is not totally out of place or character.
“They may require deeper consideration and analysis, and there may be the need to deploy sandbox technology to give everyone a bit of a pause to say, ‘Let's examine this a bit further,’” he says.
In this respect, humans still remain a critical part of cybersecurity. Exploiting zero-day vulnerabilities requires a certain level of technical skill, so it’s much easier for a cybercriminal organization to arm one of its attackers to launch a phishing attempt on an unsuspecting employee with minimal effort.
“Humans are the targets, so there’s recognition in the industry that the training needs to pivot to mitigate those risks,” Witt says.
UP NEXT: Teams are combatting advanced social engineering attacks.
