Roy Bené – NexBank
It was a subject line NexBank employees had seen dozens of times before: “You have a new email from eFax.” Once opened, the email invited them to click on a link directing them to the relevant file—in this case, a PDF.
And click they did. Within minutes, another email hit their inboxes, this one from the bank’s information security officer, Roy Bené. Only this time, the subject was a bit more ominous.
“You’ve been phished.”
All told, 40 percent of the bank’s employees failed the test. For the NexBank team, there was a lot of work to do.
“We really tried to make the discrepancies easy to spot,” Bené says. “We misspelled the eFax domain name; when you hovered over the link, it was clearly sending you to the wrong site. But a lot of people clicked—as if going about their daily routine. So it was a really good way to take the temperature of the team and figure out where we stood.”
Back to basics
In the wake of NexBank’s initial test, conducted shortly after Bené’s 2015 arrival, he knew the organization had a long way to go—like most businesses. Despite growing awareness of the perils of phishing scams, 25 percent of U.S. employees are still likely to click on a suspicious link. Bené’s goal wasn’t merely to surpass this threshold; he wanted to obliterate it.
After getting approval from the bank’s board, Bené launched a pair of cybersecurity training initiatives: one for new hires and quarterly modules for all NexBank employees.
Once an employee is hired, they have 30 days to finish the initial training modules which include tutorials on safe web browsing, how to create safe passwords, tips for spotting malicious links in emails, and so on.
The price for not completing the modules? Let’s just say you’ll know it when you see it.
“You won’t be able to log into anything,” Bené says matter-of-factly. “That doesn’t happen often, but when it does, people get the message: We take this stuff seriously.”
By contrast, the ongoing-training modules—which Bené changes up once every quarter to account for the latest hacking schemes and best practices—are designed to be short, interactive and fun.
There’s a module that shows users how to create a secure password; one that sends a seemingly legitimate email from the bank’s mortgage company with made-up loan information; another that tricks people into believing a coworker is sending them an online shopping deal.
But while most of the exercises are designed to build on lessons learned in the initial training sessions, there’s one module that takes the idea of real-world education to the next level.
Twice a year or so, Bené will send a representative from a local cybersecurity auditing firm to NexBank’s off-site branch. Donned in official-looking uniforms, these auditors will tell branch employees they’ve been hired to examine the facility’s computer systems. Only when an employee grants access do the auditors reveal their true identities—and the lessons to be learned.
“It’s very important that you not limit yourself to just email testing,” Bené explains. “These social-engineering strategies are a great way to keep everyone on their toes and realize that threats don’t just come electronically.”
Around the corner
In February of 2018, a little more than two years after he first implemented his training regimen, Bené sent out another phishing test. This time, the triggers were far more sophisticated: This email portrayed itself as a legitimate email from the IT department stating that the user’s password was compromised and they needed to log in immediately via a link to take care of it.
The link was a legitimate-looking Outlook Web Access page. If a user clicked on the link in the email, that was strike one. If they put in their username—strike two. Putting in their password? Automatic fail.
Within a week, the results were in: Only 2 percent of NexBank employees fell for the ploy.
“Even I was surprised by how far we’d come,” Bené reflects. “It’s a testament to how everyone has embraced the importance of cybersecurity. We have such a great team here and we’re in a much better place than we were, that’s for sure.”
Every base covered
Not that there’s any time for resting on laurels. Citing the “never-ending arms race between IT professionals and cybercriminals,” Bené and his IT team are hard at work on the next generation of safeguards and stopgaps.
As part of the organization’s broader digital transformation efforts, one of Bené’s biggest projects has been to replicate NexBank’s vast data troves and implement a fully functional DRaaS (Disaster Recovery as a Service) platform. In the event of a massive data breach, the bank will be able to resurrect past data in as little as 12 hours—rather than the 12 days it would’ve taken before.
NexBank’s cybersecurity efforts are being extended to customers as well. Now, instead of creating hyper-specific passwords with no dictionary words or repeating numbers and letters—a level of complexity that forces many to write their passwords down, risking potential theft—customers will be encouraged to use “pass phrases”: 16-character mini-sentences that are so secure, it would take a hacker 32 years to crack it.
The 2020 initiative Bené is most looking forward to, however, is the one he can least afford to talk about. Though he does offer one, enticing hint: Never trust anyone.
“I don’t want to give anything away—that would ruin the surprise,” Bené says. “But we’re taking our social-engineering modules to the next level. We have to. And we think our employees will be right there with us.”
Showcase your feature on your website with a custom “As Featured in Toggle” badge that links directly to your article!
Copy and paste this script into your page coding (ideally right before the closing