Cybercrime is booming, and financial services firms find themselves right in the firing line of highly-sophisticated social-engineering attacks. Human error continues to be a key weakness.
Back in 2014 hackers got into the network of JP Morgan Chase and gained access to the names, email addresses and contact details of around 70 million customers. The cause – one of the company’s employees had his login details stolen which gave the hackers a free pass. The lesson of this story? Spend as much as you like on cyber security, your biggest weakness may be your own staff.
A report suggested from the United Kingdom’s data protection agency (the ICO) found that although the number of data breaches reported to their offices had grown by 75% only 12% of these were down to malicious acts. The rest were due to human error.
Some of the mistakes can be quite glaring. The report found that the most common cause of the breach (38%) was data being sent to the wrong recipients. Even the biggest companies are not immune.
Last year, Barclays admitted that it was mistakenly sending out pin numbers with new bank cards putting customers at risk of identity fraud.
Why financial firms are targets
This is a major issue because, not only is cyber- crime booming, but criminals are actively targeting the financial sector. Attacks against financial firms have risen by 80% according to Financial Conduct Authority in the UK.
The sector may pride itself on being more resilient than most to cybercrime, but that doesn’t stop the criminals from giving it a go. The reasons are simple: criminals go where the money is, and while you might expect financial services firms to be ahead of the game when it comes to cyber security, that is not always the case.
Moreover, attacks are becoming much more convincing. For example, phishing emails are becoming much smarter. The days of the ‘Nigerian Prince’ who needs help with an unexpected cash-flow crisis are falling behind us.
Instead, you should expect convincing, professionally drafted, emails which closely mimic the branding of well-known organisations. What’s more, criminals are turning to social media to personalise their attacks.
They have a lot of information to go on. By stalking profiles on Twitter, LinkedIn or Facebook, they can find out where someone lives, where they work and often who they work with. They can then send emails which appear to be a work request.
For example, you might receive an email which appears to be from a colleague working on a project. They may ask for login details and you’ll be tempted to provide them. However, if they have gained access to that person’s account, you’ve just given them an open invitation into the internal workings of your organisation.
The attackers are helped by the increasing use of freelancers around the world. It is not uncommon for employees to be collaborating with remotely-based individuals who they might not have met. If they get an email from a stranger claiming to be working on a project many of them might not suspect a thing.
Information Security Training is the Answer
Investment in technology and infrastructure is obviously important, but if this is not coupled with a robust and comprehensive plan of employee training and education, all that money could easily be wasted.
This should start by ensuring the executive team fully buys into and takes ownership of the strategy. This is not simply a function of the IT department – instead it is something which should be treated as a core business interest.
Every organisation will have different requirements. These should be fully assessed and current levels of awareness among staff measured. From there an organisation can start to plug its weak points such as ensuring each member of staff only has access to the level of security he or she needs and that they conform to standard best practices over how they manage their security passwords.
Around a quarter of employees persist in using the same password for every account and will often use passwords from their own accounts for those they use at work. This would mean your network is only as strong as that individual’s own security measures. By ensuring staff members use different passwords, and change these at regular intervals, you can go a long way to eliminating a key weakness.
Last but not least, you need to maintain tight oversight across the organisation to ensure everyone is sticking rigidly to the rules. It’s one thing to train individuals but another to ensure they continue sticking to the guidelines you’ve set in their day to day working life.
The most important thing is to avoid the mistake of viewing cybercrime solely through the lens of technology. Yes, there is a high-tech arms race between criminals and IT departments, but the human element remains – as ever – your Achilles Heel.
We can help your employees become more resilient against such attacks with our tailored training program for your employees working in finance-related functions
Anti-Phishing / Spear-Phishing Training
Cyber-Security Awareness Training
IT Security Policy Re-Enforcement
Simulated Phishing / Anti-Phishing Training
Our training helps secure the employees of:
Finance departments of organisations
Stock brokerage firms
Investment / wealth management firms