Despite unprecedented cybersecurity budgets, some of which now exceed hundreds of millions of dollars per year, financial services institutions remain atop the most targeted industry list. In fact, according to CSO, banks get attacked four times more than other industry. Additionally, Infosecurity Magazine reported in 2015 that the financial services industry has been hit by 300% more cyber attacks than any other industry. Not surprising, the only comparable industry in terms of attack frequency and scale is healthcare, which according to the IBM X-Force Cybersecurity Intelligence Index, “tops the list of most attacked industries,” in 2016 so far.
Whether or not financial services finish 2016 as the first or second most targeted industry is irrelevant, because damage continues to be done. According to Kaspersky Labs, hackers stole “$1 billion from 100 different financial institutions across the U.S., Germany, Russia, Ukraine, and China over the past two years.” This number is particularly disturbing considering the largest financial institutions independently spend $500 million or more annually on cybersecurity.
Bots & Phishing Top the Threat List
Bot attacks, according to the most recent Threat Matrix Cyber Crime Report, currently represent the biggest threat to financial institutions. Also problematic is ransomware, which, as we recently wrote about, is the outcome of increasingly sophisticated phishing and spear-phishing campaigns that target both employees and customers. The epidemic is so widespread that, in the United States, the FBI has issued bulletins to financial services companies about ransomware and is urging businesses to report attacks to its cyber crimes department.
To identify phishing and spear-phishing campaigns, financial institutions of all sizes have spent significant time and resources on employee education. Training employees to become the first line of defense is virtuous in theory, but has proven only somewhat effective. Recently, researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, completed a study on phishing. Astonishingly, the results of that study found that despite 78% of people claiming to be conscious of suspicious emails, almost 56% of those same people clicked on email links and 40% clicked on Facebook messages from people that they did not know. For financial institutions, these stats reveal that anti-phishing policies that emphasize human intelligence without a real-time automated response are insufficient at best.
HR/IT Convergence to Identify Vulnerabilities and Stop Cyber Attacks
Just as information technology (IT) and operational technology (OT) are converging as a means to better protect the industrial control systems of critical infrastructure, so too must human resources (HR) and IT to reduce risk for financial services institutions. Unfortunately, there is very little precedent, if any, for these two traditionally disparate business units to work together. But with no signs of threats against the industry minimizing, its imperative to risk reduction that HR and IT collaborate like never before.
Here are three ways in which HR/IT convergence can help reduce risk from cyber attacks.
- Cyber Awareness Training Begins with Employee Onboarding – Changing behavior is a process, and it should begin on every employee’s first week. During the initial stages of onboarding, HR must work with IT on a cybersecurity training program that uncovers the employees’ level of awareness and thoroughly emphasizes the organization’s commitment to preventing cyber attacks. By working together, HR and IT can create a training experience that is fun and interactive, so that it is perceived as a “want to” activity and not a boring “have to.”
- Incentivize Ongoing Training – A recent study by Genesis Associates found that “85% of workers felt more motivated to do their best when an incentive was offered.” Thus, HR and IT should collaborate on ways to incentivize all employees – from the most junior level bank tellers to senior executives – to frequently refresh and expand their cybersecurity aptitude. While the resources of each institution will vary, incentives like additional compensation, extra time off, free meals or gift cards are proven to motivate employees at all levels. Would you rather incentivize employees for completing cybersecurity training or have proprietary data held at ransom for millions?
- Policy & Compliance Assessment – According to a com article, “the connection between HR professionals and security professionals needs to be the closest it’s ever been.” In today’s threat landscape, IT needs more ‘eyes and ears on the ground’ to identify both intentional (insider threats) and unintentional lapses in compliance. HR can fill that roll. In addition, HR needs information from IT about employees who are negligent in fulfilling their cybersecurity responsibilities. If HR is able to obtain this information in close to real-time, then they can intervene, send reminders and, when necessary, penalize employees.
HR/IT convergence alone will not stop attacks from being successful. But if these two business units can collaborate, financial institutions will lower risk in a world in which threats amplify almost daily.