[BreachExchange] Employee Training: A Security Priority For Financial CISOs

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 12 21:04:26 EDT 2018


http://www.cxotoday.com/story/employee-training-a-security-
priority-for-financial-cisos/

In recent years, cyber-attacks on the financial sector have picked up
speed. As companies in the sector struggle with the major shift toward
digital transformation, some are caught off guard by the significant rise
of malware designed specifically to target their sector, such as Dyre
Trojan, Dridex, hybrid banking Trojan GozNym and TrickBot. Once the network
is infiltrated, hackers can easily steal, read, alter and even erase top
secret information.

Attacks on financial services have increased substantially because their
entire business is not only based on collecting sensitive financial data,
but also on managing money transactions. Among disastrous security
incidents in finance, a standout attack came with the 2015-2016 SWIFT
banking hack when critical data was leaked and millions were stolen from
customer accounts. One bank alone exposed 1.4GB of sensitive company and
customer files.

CISOs in banks, credit unions, investment funds, brokerage companies,
accountancy and credit card companies, among others, must invest heavily in
security R&D in 2018 to ensure the safety of customer interactions with
their services and data privacy. Experts warn that the attack surface has
flourished, with companies falling victim to massive data thefts,
ransomware and spear phishing attacks mostly due to insider threats. This
translates into employee ignorance.

Employees represent the greatest security risk in all organizations.
Breaches caused by careless or ill-intentioned staff members are at the top
of the vulnerability list that companies have to fix to fend off financial
and reputational ruin. Financial CISOs are starting to understand the high
risks posed by insider threats, so the current security trend in the
financial sector is to actively invest in employee security training.

Employees are a magnet for hackers, so they have to be regularly trained to
recognize malicious email attachments and phishing attempts, to avoid
clicking on and suspicious emails and links, and to immediately report
incidents up the chain of command. 35 percent of CISOs named employee
training a top priority in 2018, says a study by The Financial Services
Information Sharing and Analysis Center (FS-ISAC). 25 percent said they
focus on infrastructure upgrades and network defense, and 17 percent named
breach prevention as a key interest.

Peopleware (a metaphor that links people with malware) is a major business
risk. Technology is no longer enough for enterprises to safeguard their
infrastructures. Serious investments are necessary to train employees about
security risks, as they are the first line of defense. Each company has to
evaluate and identify, on a case-by-case basis, network security and top
vulnerabilities to deliver adequate training. Regular documentation and
incident reporting would ideally help them learn from their own mistakes.

By investing in threat intelligence and in cybersecurity-skill workers,
businesses could reduce insider threats and increase their detection rate.
One roadblock to strengthening their security strategy is that companies
are interested in immediate financial gain, but dramatic business changes
require time to properly sync with emerging technology trends and develop
an effective cybersecurity program. It is not enough for a company to
simply embrace digital disruption and expect sudden growth.

New approaches come with new mind-sets, so protecting business from
cyber-attacks also means assuring future growth. Companies, especially in
the financial sector, have to make cybersecurity awareness part of their
corporate culture as this is the only way they will truly evolve.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180312/3266c2b7/attachment.html>


More information about the BreachExchange mailing list