Training and preparation have never been more crucial in the financial services industry. Updated privacy regulations from Europe, China, and the US have both risk management companies and cyber insurance brokers racing to provide institutions with the best tools to prevent harmful cyber threats. However, most organizations today aren’t utilizing the tools they already have – the tools that could help prevent breaches altogether – employees.
An auditor will usually begin a risk audit by referencing a checklist and identifying any weaknesses in a company’s digital security network, but it doesn’t stop there. The auditor will also evaluate the business’s email system. Some of the most damaging cyber threats begin with malicious links embedded in emails, and they can be more cunning than you think.
Here’s an example.
An attacker can often find a bank’s corporate roster by visiting the bank’s website and going to “About.” Let’s say this bank’s Chief Operations Officer is named John Smith. The attacker only needs a name. From there, they can advance and create a fictitious email address e.g. jsmith@[nameofbank].com. This method may sound a bit rudimentary for a skilled hacker to pursue, yet email remains to be the most effective form of cyber attacking. So now, the attacker is disguised as a trustworthy name and can potentially have agency within the company. Additionally, by choosing the COO, the attacker can appear to have a knowledgeable background in information technology and project management, topics a lower-ranking employee may be less familiar with. Over email, the attacker can inquire about employee log-in data, client lists, and potentially, all the sensitive information strung along with consumer online banking depending on the malware they use. It’s that easy.
Since it really is that easy, risk management companies and cyber insurance brokers are no longer using technology-based approaches to help businesses mitigate cyber risk. Instead, the focus has shifted towards education and employee training methods. A UMass Dartmouth study, which gathered responses from roughly 1000 employees, revealed nearly 50% were NOT proficient in various areas of cyber awareness. Some of the categories included creating strong passwords, traveling, emailing, and disclosing information over the phone. Only 56% of the respondents claimed confidence in their coworkers’ abilities to recognize and avoid cyber-attacks. This indicates that some employees may be reluctant to admit to their own cyber behavior weaknesses.
The bar has been raised. People need to be vigilant. For financial institutions alone, hundreds of thousands of attempted attacks occur daily. Email is not the only vulnerability. Employees should be properly trained to use the phone, computer, and even on how to travel safely while holding sensitive data. Cybercrime has advanced. It’s time to catch up.