Behavior of Brazilian banks employees on Facebook and the cybersecurity governance

Abstract

The financial service industry (FSI) has been the victim of sophisticated cyber attacks that take advantage of vulnerabilities created by employee misconduct. An experiment was conducted on Facebook (R) with 500 employees from the top five largest banks in Brazil and another 100 randomly selected individuals. It was observed that bank employees are more prepared to avoid social engineering than typical Facebook (R) users; however, more training is still needed because an anonymous individual using social engineering techniques successfully infiltrated an online social network (OSN) used by bank employees and gained access to sensitive data. Moreover, by analyzing the banking reports and their policies, it was possible to identify the five main mechanisms of control and governance implemented by the FSI to protect data: (a) incorporate the National Institute of Standards and Technology framework into its model of cybersecurity governance, (b) establish policies that regulate the use of information assets, (c) establish a code of conduct for its employees, (d) develop a corporate security culture, and (e) maintain a corporate security department.