How cyber safe aware are we, really?
As personal and professional ‘digital personas’ become more intertwined, the financial services industry faces an increasing challenge in securely and adequately educating and protecting customers across the ‘digital frontier’, on the increased risks and trends of cyber-attacks.
Understanding the importance and fundamentals of security awareness is critical, not only internally with our staff, but equally outwards, towards protecting our most prized treasure, the customer. While ingrained within many bankers’ DNA is the overt tendency to protect all aspects of customer engagement, heightened focus towards careful identification (KYC – Know Your Customer), verifiable transaction analytics (AML – Anti Money laundering) through secure transaction verification (OTP – One-time Password) is essential. Providing customer assurance that highly secure systems, which are deeply integrated and intertwined, are maintained, is key within all financial services organisations. However, as we have discussed through Arise webinars and direct engagement within our partner banks, the shortfall to all these state-of-the-art systems has a weak link in the chain – The Human factor.
Social engineering or social hacking has taken centre stage in circumnavigating highly secure systems, through identifying alternative ways of human manipulation, with the intent to commit fraud. When reviewing the deep foundations of social engineering, we find that psychological manipulation of people into performing actions or divulging confidential information, either through fear, or through lack of knowledge of the situation, is highly prevalent across the globe. Many customers do not understand the implications of not keeping their card PIN secret in a telephone call or clicking on a link to an alternative internet banking site to perform a transaction, based on an obscure mail received. For con-artists and thieves this makes it easier to manipulate the target into doing something voluntarily and is less stressful than holding a gun to a teller or demanding money from the safe. Both criminal approaches have similar devastating consequences; loss of money and customer trust, in the organisations keeping customers and their money safe.
So how does one fall victim to cybercrimes?
While some syndicates have become extremely sophisticated in their attempts at phishing and vishing, the fundamentals of both remain true. The Oxford dictionary refers to phishing as “The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies to induce individuals to reveal personal information, such as bank details and credit card numbers. Both with fundamental outcome similarities such as personal information, bank details and card numbers being fraudulently obtained.
Investment in building enhanced cyber security knowledge sharing campaigns with customers is fast gaining momentum. These insights provide customers with direct knowledge on how to identify a phishing / vishing attack, or what to do if they feel they have fallen victim to one of these scams. However, we have found that not enough focus is being placed internally on educating staff on the dangers of cyber-crime. Staff tend to place a level of blind faith in large-scale organisations, that rely heavily on secure, technology infrastructures. They have a reliance that some IT security expert, hidden deep in a corner of the bank, is watching, and keeping them safe from external cyber-attacks. This is in a fashion true; not the hidden dark corner aspect, but that there are security experts assisting in the protection of key information assets. Unfortunately, not everything, nor everyone, can be watched constantly.
95% of the attack landscape is predominantly focused on three areas of high usage, namely e-mail, instant messages, and telephone calls. Unfortunately, all vulnerabilities on these platforms cannot be fully patch protected. Organisations need to educate staff to be extra vigilant when opening unsolicited mails, or mails that could be construed to be outside of normal practice. The same level of vigilance relating to obscure telephone calls from the IT department, requesting the running of a certain program on an email that has just been received. These are usually payment, login credential updates or account resets related.
Providing context to the magnitude of this problem, during the height of the COVID-19 lockdown, reportedly 135 million phishing attacks a day, occurred across the African continent. Considering that we, as financial services practitioners, expect our cyber security teams to keep us safe 135 million times a day, is difficult to comprehend; a hacker needs only to be right once, to exploit a vulnerability in the chain, which is usually the human link.
Phishing, by far, is the preferred first delivery method of malicious software injections. A phishing attack does not only target the bank employee with the intent of obtaining personal information to exploit, but also their professional work information and capacity, with the same intent to exploit where possible. When activated, the phishing attack can facilitate the distribution of malicious programs, such as ransomware or vulnerability exposing software, within the bank network. Email attachments remain the primary delivery method of malicious programs, these having been found to slip through secure bank mail servers, emulating pdf scans, or even jpeg image files, etc. With users quick to open these files, not realising the danger they pose, and/or quickly closing the file after realising the mistake, during which they have activated the malicious software, the vulnerability has already been exploited. Allied to this, poor reporting of these attacks to management and relevant security teams, leaves banks highly vulnerable to this exploitable human factor.
So how do we overcome this?
As Arise, we have determined that providing an alternative approach to security awareness, not only within the work environment, but extending this towards the home sanctum is the most effective approach. By engaging staff and explaining the vulnerabilities that they may face in their personal and work capacity, they will develop a knowledge of cyber safety across their lifestyle that they can subscribe to. These fundamental ‘hygienic’ protocols / lessons make it easier for staff to promote the same message to customers, becoming knowledge advocates to help protect the vulnerable human factor from targeted attacks.
Security teams across the continent are driving this message aggressively within their organisations, through targeted security training in areas of social networking protection protocols (Facebook, LinkedIn), instant messaging platforms (What’s app, SMS), home network safety, device safety and even children online safety factors. Educating staff and customers in the alternate ways of protecting themselves and their families against the exposure and loss of privacy and financial information, is paramount in dealing with the scourge of cyber-attacks.
A blanket, one size fits all, cyber security awareness strategy, unfortunately is not effective. However, in working with cyber security awareness experts, financial institutions can build internal capability to meet these targeted security awareness objectives, reducing the risk to customers, and increasing the security posture of the organisation, through their primary asset, their people. This should not be a once off event and should entail a constant review and literature refresh, as security risks change, and protection methods adapt. This is a long-term and likely continuous requirement of financial institutions, developing in criticality as digital banking and social media platforms become more pervasive in servicing customers.
Author, Clinton Abbott: Arise Director Banking and Innovation