How can finance defend against the cyber threat? Educating staff is key
Alan Levine, Security Advisor to Wombat Security
No one is safe from the threat of cyber-crime, but attacks against the financial services industry are becoming increasingly sophisticated and frequent, arguably more so than in any other sector.For example, Verizon’s 2017 Data Breach Investigations Report found that around a quarter of data breaches affect the finance industry. A spate of high profile ransomware and denial of service attacks this year against key financial institutions such as HSBC and Lloyds Bank has put data protection and security firmly on corporate agendas and served as a clear wake-up call. Cybercrime and cyber fraud are of particular concern because ultimately, along with damaging consumer trust, cybercrime often results in a huge loss of money.
Just look at this summer’s NotPetya attack. Emerging out of an attack on Ukraine, the malware disrupted the work of several large, global companies, such as Reckitt Benckiser, Mondelez, WPP and Maersk. As a result of the attack, Reckitt Benckiser (a consumer group known for Nurofen and Durex) lost around £110million in sales – this only represents a 1% fall in Reckitt’s yearly growth rate, but shares fell all week after the attack and the organisation had to work incredibly hard to recover and regain investor trust.
The financial sector has seemingly been better than most at proving that they take the cyber threat seriously. For example, at the start of October, the City of London opened a state-of-the-art court with the focus of tackling cybercrime and cyber fraud. The Telegraph reported that “Ministers say the court will enhance Britain’s reputation as a country where banking and finance is underpinned by the rule of law, and help the authorities tackle the growing menace of computer crime.”
However, whilst a lot is being done by the financial industry to tackle the cyber threat, recent research has found that, arguably, tactics aren’t proving to be hugely effective.A recent survey of senior professionals working in retail banks, investment banks and asset management firms found that 87% of organisations feel their businesses aren’t able to enhance their technology fast enough to fight back against evolving cyber-crime. But, a lesson that we’re increasingly learning is that technology isn’t the only answer.No matter how much technology you have in place defending your organisation’s network, if a user clicks on a malicious link or opens a malicious file, the cyber-criminals have found their way in.
Our own research has recently revealed some concerning statistics about end-users in finance-based industries. Our State of the Phish Report found that, in Insurance, there is a 20% click rate on consumer based simulated phishing emails and a 17% click rate on commercial based simulated phishing emails. Furthermore, our Beyond the Phish Report analysed different industries’ general cyber-security knowledge and, on average, those working in finance answered 21% of questions incorrectly. It’s impossible to reduce click rates to 0 but where huge sums of money and a plethora of incredibly sensitive data is at stake, the fact that these percentages are in the double figures is troubling indeed.
Equifax and the Importance of Corporate Culture
Credit company Equifax exposed Personally Identifiable Information (PII) from 145.5 million customers due to what Congress termed a “lax attitude” to protecting consumers’ data. It’s really interesting that while the ex-CEO of Equifax, Richard Smith, blamed both “human error” and “technology errors”, Congressman Frank Pallone didn’t recommend that Equifax upped its security technology but rather claimed that, “… its entire corporate culture needs to change to one that values security and transparency.”
“Lax attitudes” are a huge part of the reason why cyber-criminals are so successful, and this can be challenged by cyber-security awareness and training from the ground up to the board. No one should be exempt. Employees should be a vital part of every security strategy because if technology fails, they’re the organisations’ last line of defence.
People as the Last Line of Defence
I’m a former CISO of a Fortune 500 company,and I learned the hard way that you can’t rely on technology to protect your organisation against cyberattacks. Cyber defence technology is complex and expensive and is especially designed to thwart the next attack – but, the data doesn’t lie. Cyber defences aren’t perfect because hackers will always find your weaknesses and exploit them. And when this happens it will be up to your users to make the right choice: click on a link or don’t. In the 21st Century, clicking has become second nature to us – it’s like blinking or breathing. This is why it is vitally important that cybersecurity training also instills users with the fundamentals of good cyber behaviour, so that they instinctively can identify if a link or file is risky.
Computer users are the fulcrum of the current and expanding cyber storm, and there are steps we can take toward threat mitigation and damage containment. One of the most important pieces of advice that I can give is that we should crystallise our confidence that users will do the right thing if they know the right thing. It is a C-Level responsibility to focus on elevating user understanding of threats so that everyone appreciates their role in cyber defence.
People First at RBS
The Royal Bank of Scotland (RBS) saw that they were experiencing an increase in “drive by” malware entering their system via email, so they implemented an ongoing and effective security awareness programme to improve the bank’s 80,000 email users’ cyber-security skills. RBS initiated the training project in February 2016 and the results were staggering, with employee click rates on simulated phishing emails plummeting from 47% in August 2016 to 22% in October 2016. Today, RBS are operating at a click rate of fewer than 10% and are showing that banks can, and will, fight back.
Cyber awareness programmes should be a fundamental element of every enterprise cyber security programme. If we don’t raise awareness, don’t appreciate the key role users play in cyber defence, and if we fail to train our users as frontline soldiers in our cyber defence programmes, then those initiatives are bound to fail. And when cyber defence programmes fail, our users fail us and we fail our users. It’s just a matter of time before the next NotPetya or WannaCry hits – don’t you want to do everything you can to prevent your organisation’s name from being on the front page of the newspapers for losing millions of pounds of profit?