WFE unveils best practice guidelines for cyber security compliance

Advertisements

The World Federation of Exchanges (WFE) on Thursday published a set of best practice guidelines for market infrastructures designed to engender a staff culture of cyber security compliance.

​ The paper takes a behavioural approach to the issue, as evidence shows that moving away from classroom-based refresher sessions and thinking more creatively about how to get staff to consider cyber defences in everything they do is more effective in creating long-term cyber compliance.

According to WFE, applying behavioural insights and ‘nudge theory’ – brought to prominence by Nobel Economics laureate Dr Richard Thaler with Cass Sunstein* – can be useful to change staff security behaviour.

Applying small ‘nudges’, or offering incentives regularly to staff, leads to greater discussion and awareness of cyber threats which may result in better cultural outcomes.

The best practice guidelines for WFE members to consider when creating a cyber compliance framework include:

Advertisements

Behavioural incentives

These include focusing on cyber security in the home environment; bringing hackers into the workplace to demonstrate to staff how easily devices can be compromised; linking compensation to compliance; rewards programmes; awareness campaigns; and the use of ‘gamification’ – making desired security behaviours fun or competitive.

Cultural incentives

These incentives start with creating a culture of personal responsibility and common sense, relating cyber awareness to personal life, family and home. Other incentives include making cyber security awareness and compliance a Key Performance Indicator (KPI); using language that is simple, jargon-free, creative and graphical; and finally, story-telling, using analogies and anecdotes to explain complicated concepts.

Operational support

Training: Ensure training is regular and accessible, particularly for new joiners; always train technical staff on cyber awareness (often the first group targeted in cyber-attacks); and implement a strong password/locked computer screen policy, to create a sense of personal ownership.

Transparency: Security policies, disaster recovery and post-breach communications plans should be clear and shared with employees; provide a list of approved and restricted websites, services, software and applications.

Technology: Develop ‘bring your own device’ guidelines; and deploy software tools that launch test phishing emails.

Nandini Sukumar, CEO, The WFE said: “Exchanges and CCPs spend significant time and money on ensuring the technology that underpins the markets they operate and clear meets – and exceeds – the complicated patchwork of technical standards, rules and regulations they are subject to. Our best practice guidelines show that by making small changes to cyber compliance behaviour, the humans using that technology can become a stronger line of defence against cyber-attacks.”

Gavin Hill, Head of Regulatory Affairs, The WFE added: “This set of guidelines is also designed to support future dialogue with regulatory authorities as they continue to consider how best to strengthen the system in response to an ever-increasing degree of sophistication of cyber-criminals.”

Advertisements