Employees: the biggest cause of and best solution to cyber-crime
Quantifying the business losses triggered by cyber-attacks is not for the fainthearted. Industry experts predict cyber-crime will cost the world $6 trillion annually by 2021, compared to $3 trillion in 2015 (1).
For the perpetrators of such activities – whether they are hostile nation states or criminal gangs – the proceeds derived from cyber-crime are forecast to exceed the total revenues generated by the entire illegal narcotics trade1. Given the lucrative profits available from this illicit behaviour, cyber-crime is only going to grow.
As more companies and individuals become increasingly digitalised, the number of cyber-attack targets will inevitably widen. But it is the cash-rich nature of financial services which makes the industry particularly susceptible to hacks. In fact, cyber-criminals target financial services more than any other sector. Data from the Ponemon Institute, for example, found cyber-attacks cost financial services on average $16.53 million per year, putting it ahead of utilities & energy ($14.80 million) and technology ($11.04 million) by some margin2.
Cyber-criminals’ operating models have become more sophisticated while they now also have easier and cheaper access to institutional grade hacking software, a major contributor to the severity of recent attacks such as WannaCry back in 2017. Financial institutions have responded in kind by implementing robust cyber-defence systems and appointing security experts – often drafted in from technology companies or even government agencies – to help them manage the growing threats posed by the new breed of hackers.
Improvements in IT infrastructure are obviously positive, but the biggest cyber vulnerability in most organisations are its people. A study conducted by Willis Towers Watson found that 18% of cyber-breaches were caused by external events, whereas 66% are a result of either employee negligence or malfeasance3. The report added that insufficient employee understanding about cyber-issues and a lack of embedded cyber-risk management within company culture were serious pain-points, which organisations need to urgently remedy3.
Changing cultural attitudes to cyber-risk
Facilitating behavioural change among employees will require grassroots cyber-risk education and training across the entire enterprise irrespective of geographical location or seniority. Instilling basic best practices on a group-wide basis – such as advising staff to regularly change their passwords or access codes, encouraging reporting of suspicious activities, and exercising caution when joining free public Wi-Fi networks without using a proper VPN channel, are all good starting points.
Practical training in the form of simulated phishing exercises are also seen as an effective preventative measure, and it is something which Societe Generale routinely performs on its employees. Such initiatives are highly valuable learning exercises as employees – having suffered a phishing attempt (even if it is one instigated by their employer) – usually become more tentative about opening unsolicited emails or clicking on dubious links/websites.
Finding the right people
In addition to educating staff about cyber-risks, recruitment needs to be increasingly tailored so banks hire the right people to help mitigate these evolving threats. Societe Generale has created an institute to train employees in cyber-risk, and it is also actively recruiting individuals with cyber-security experience. It is equally important, however, that hiring policies embrace diversity and that individuals from different backgrounds are brought in. This creates cognitive diversity, something which can abet problem solving.
Developing a strong cyber-culture
Technology can help reduce the damage caused by cyber-criminals but changing employee behaviour will be essential. Casual approaches to IT security by staff can be costly or even fatal for companies, so it is critical that firms ensure their personnel receive regular cyber education and training. By reforming cultural and behavioural attitudes internally, companies will be able to reduce the number of attack vectors cyber-criminals can exploit.
1Cybersecurity Ventures (2017)
2Ponemon Institute (October 2016)
3Willis Towers Watson (September 25, 2017)