Employee training a security priority for financial CISOs in 2018, study says

In the past two years, cyberattacks on the financial sector have picked up speed. As companies in the sector struggle with the major shift toward digital transformation, some are caught off guard by the significant rise of malware designed specifically to target their sector, such as Dyre Trojan, Dridex, hybrid banking Trojan GozNym and TrickBot. Once the network is infiltrated, hackers can easily steal, read, alter and even erase top secret information.

Attacks on financial services have increased substantially because their entire business is not only based on collecting sensitive financial data, but also on managing money transactions. Among disastrous security incidents in finance, a standout attack came with the 2015-2016 SWIFT banking hack when critical data was leaked and millions were stolen from customer accounts. One bank alone exposed 1.4GB of sensitive company and customer files.

CISOs in banks, credit unions, investment funds, brokerage companies, accountancy and credit card companies, among others, must invest heavily in security R&D in 2018 to ensure the safety of customer interactions with their services and data privacy. Experts warn that the attack surface has flourished, with companies falling victim to massive data thefts, ransomware and spear phishing attacks mostly due to insider threats. This translates into employee ignorance.

Employees represent the greatest security risk in all organizations. Breaches caused by careless or ill-intentioned staff members are at the top of the vulnerability list that companies have to fix to fend off financial and reputational ruin. Financial CISOs are starting to understand the high risks posed by insider threats, so the current security trend in the financial sector is to actively invest in employee security training.

Employees are a magnet for hackers, so they have to be regularly trained to recognize malicious email attachments and phishing attempts, to avoid clicking on and suspicious emails and links, and to immediately report incidents up the chain of command. 35 percent of CISOs named employee training a top priority in 2018, says a study by The Financial Services Information Sharing and Analysis Center (FS-ISAC). 25 percent said they focus on infrastructure upgrades and network defense, and 17 percent named breach prevention as a key interest.

Peopleware (a metaphor that links people with malware) is a major business risk. Technology is no longer enough for enterprises to safeguard their infrastructures. Serious investments are necessary to train employees about security risks, as they are the first line of defense. Each company has to evaluate and identify, on a case-by-case basis, network security and top vulnerabilities to deliver adequate training. Regular documentation and incident reporting would ideally help them learn from their own mistakes.

By investing in threat intelligence and in cybersecurity-skill workers, businesses could reduce insider threats and increase their detection rate. One roadblock to strengthening their security strategy is that companies are interested in immediate financial gain, but dramatic business changes require time to properly sync with emerging technology trends and develop an effective cybersecurity program. It is not enough for a company to simply embrace digital disruption and expect sudden growth.

New approaches come with new mindsets, so protecting business from cyberattacks also means assuring future growth. Companies, especially in the financial sector, have to make cybersecurity awareness part of their corporate culture as this is the only way they will truly evolve.

Zakir Hussain
Director, BD soft, Country Partner of Bitdefender