Using AI to deliver an interactive cyber “help desk”

Recently, Pryon had the opportunity to exhibit at CX22 in Nashville, Tennessee, hosted by fintech and cybersecurity leader  CSI. Among the many topics discussed by financial services, technology, and other leaders at the conference was how to evolve cybersecurity programs to respond to new risks and threats.

Financial services has historically been the most-attacked industry, but slipped to number two last year as cyber attackers targeted manufacturing companies to cause supply chain disruption. Nonetheless, the industry is still experiencing a crushing onslaught of attacks. For example, ransomware attacks were up 30 percent in the first half of 2021, compared to the year prior.

As a result, many chief information security officers (CISOs) are elevating the importance of strengthening cybersecurity awareness cultures. However, financial services firms need to move faster to keep pace with the latest risks and threats. By using artificial intelligence (AI) and natural language processing (NLP) in a new way, these companies can deliver ongoing micro-training. Cybersecurity and IT teams can design and begin delivering this training in as little as one day, moving awareness initiatives into real-time. As a result, they can improve employee knowledge retention and the ability to detect and respond to threats.

Empowering financial services employees to identify attacks

So, what’s happening in financial services, and why is improving cybersecurity awareness so important?

Cyber attackers target individuals and endpoints rather than networks, as it’s easier to gain access to credentials than overcome cybersecurity systems. In fact, humans were involved in 85 percent of all cyber breaches in 2020. Phishing was used to cause 25 percent of all data breaches in 2020, while stolen credentials were implicated in 60 percent of all of them.

CISOs have long realized that employees are often used as unwitting pawns in cyberattacks. That’s why financial institutions invest heavily in training. A popular tactic is to execute twice-yearly phishing tests and then target employees who fail the test for additional training. However, C-suite leaders at financial services companies realize that current approaches in cyber awareness aren’t scaling to meet the relentless pace of new risks and threats.

Building a cybersecurity-aware culture to reduce risks

Financial services employees have special obligations that their peers in other industries may not face. For example, they must abide by information handling and data protection rules, to abide by internal compliance requirements and regulations in all the geographies they serve. At present, the U.S. does not have a federal data privacy requirement equivalent to the General Data Protection Regulation (GDPR), but different states are passing their own legislation.

As a result, creating a cybersecurity-aware culture is an important part of industry frameworks and best practices, including the widely implemented National Institute of Standards and Technology (NIST) Framework. Similarly, the Center for Internet Security (CIS) Controls, Payment Card Industry Data Security Standard (PCI DSS), and Federal Risk and Authorization Management Program (FedRAMP) all recommend that organizations establish and continually evolve cybersecurity-aware cultures. More recently, the Federal Trade Commission (FTC) has passed a rule that requires that FTC-regulated financial institutions implement employee security awareness training by December 9, 2022. Thus, many organizations are taking a second look at their programs to see how they can improve results.

Why financial services firms should create a “cyber help desk”

Today, cybersecurity and IT teams spend significant time designing awareness programs. They often begin by assessing employee knowledge with surveys, developing education and training initiatives based on significant threats, and providing role-specific education. In addition to designing and executing phishing tests, these teams may design multi-channel programs, with newsletter articles, webinars, SharePoint sites, quizzes and contests, and more. Cybersecurity Awareness Month in October is a popular time to launch programs, although content would ideally be available, accessible, and updated all year.

The challenge with relying solely on this approach is that employees may not retain knowledge, putting them at risk for continuing the very behaviors their employers don’t want.

The opportunity to apply AI in this context is similar to the idea of using it to augment and scale support services within an enterprise IT help desk.  While chatbots can help automate the delivery of routine questions, their capacity and intelligence are limited to answer a broader volume of more complex questions. An AI-based knowledge mangement platform like Pryon can transform cyber content into interactive experiences that allow for natural language queries, making it easy for the employee population to easily access the latest policies and instructions.

Using Pryon to automate the delivery of cybersecurity training

There’s an easier way to create pervasive cybersecurity awareness at banks, fintechs, insurers, and other industry companies. These firms can use an AI-based knowledge management solution like Pryon to automatically scan their knowledge base and package questions and answers or short content to be delivered to users.

Pryon is a no-code platform that uses AI, NLP, and computer vision to search knowledge bases, interpret technical content, and serve up answers to questions. (Download the Pryon platform overview to learn more.)

This content can then be delivered via mobile apps, chatbots, or other tools. Financial services firms can use Pryon to:

• Deliver new hire training: New hires don’t know firm policies, tools, and programs, which increases their risk of compliance and other violations. In addition, cyber attackers may be targeting these employees based on their LinkedIn updates about their new positions. Pryon can automate the delivery of training on Day 1 and send reminders, increasing completion rates. As a result, new hires quickly learn what they need to do to protect customers, data, and systems.
• Provide always-on training: Because content can be updated and rendered interactive immediately, firms can offer weekly, daily, or even twice-daily updates. Teams can create collections on topics they want to educate employees on and set users free to search Pryon and receive highly accurate answers in return.
• Assess employee knowledge gaps in real time: Why wait to complete employee surveys after cybersecurity campaigns are finished? With Pryon, cybersecurity and IT teams can get immediate feedback on employee mastery of, or struggles with, key topics. As a result, they know where to focus their awareness and training investments, improving ROI.

Automate and scale always-on cyber training

Financial services firms already have cybersecurity cultures but are likely looking to improve results. In addition to designing structured programs, these companies can activate their knowledge bases with Pryon to accelerate employee training efforts, improve retention of key topics, and strengthen compliance.

With ongoing cybersecurity awareness and education, employees improve their ability to comply with all key corporate and industry requirements. They learn about new risks and threats, are able to identify them, and know how to report suspected incidents. Empowered, cyber-aware employees can educate each other, protect customer and business data and intellectual property, and help prevent breaches. Since the average breach cost for a financial services organization was $5.72 million in 2021, that is no small accomplishment.