No spoiler alert necessary here: cyber criminals lust after your firm’s sensitive data and customer wealth.
In the past year, I’ve seen an executive socially engineered to wire transfer $47 million, fraudulently, to a high-school hacker. I’ve helped train a banking call center on how to stop losing more than $300,000 per month to vishing scams (I’ll share solutions to these and other threats at this year’s Nucleus annual conference).
I’ve watched ethical, white-hat hackers ‘sniff’ unprotected IP addresses and cloud traffic from the financial adviser’s parking lot. And I’ve witnessed innumerable cases of cyber extortionists encrypting mission-critical data and then demanding a ransom (which they almost always get). But it makes me the saddest to watch businesses collapse after ending up as a disastrous data breach headline – too late in reacting to cyber threats.
Your firm most certainly does not have to suffer a similar fate. But how are you, a leader within your organisation, supposed to cope with such a wide range of threats while managing business as usual? The answer lies, as does so much of your success, in preparation and in the strength of your culture. When you build security into your daily operations, from the boardroom to the break room, your risk footprint rapidly diminishes.
I see a handful of cultural security weaknesses in many of the financial organisations I visit around the world. By identifying your weaknesses, and by resolving them decisively, you will begin to build a fabric of security that permeates every transaction your firm makes. Here are three questions to ask of your own culture of security:
1 Are you overlooking the human element of cyber security?
Most financial institutions, whether through compliance or experience, have implemented a strong technological response to cyber threats. Fewer have aligned their workforce to administer those systems with care and integrity. Target spent millions on an intrusion detection system prior to their pre-holiday breach of 70+ million customer records. The system successfully flagged malicious activity on their point-of-sale system prior to the breach.
A poorly trained Target employee on the security team either ignored or misinterpreted the warning signs and chose not to act on the intel. Hundreds of millions of dollars later, prevention was but a mirage in Target’s costly rear-view mirror. Your people are the greatest asset in the fight against information hijacking, but you must strategically assign budgets and training resources to keep them from becoming the weakest link in your safety chain.
2 Are you making security a selfish reflex?
It pains me to watch an organisation bore their team to tears with security policies, procedures and powerpoints. To be effective, security must become a habit – a reflex as natural (and effectively selfish) as crossing to the well lit side of the street. Good security habits start when we are genuinely motivated to learn about how to protect the things in life we care about most – our kids, our homes, our wealth and reputation – not when we are force-fed corporate techno-babble.
If you want to build a culture of security, make sure that your training is entertaining, bite-sized, consistent and relevant. For example, we developed a series of short, highly-actionable security video tips for the financial industry that dramatically increases their customer click-through rates, training absorption and behavioural change – in some cases by 500%. Tools like these increase engagement with security by focusing success on people (customers and employees) even as it lowers fraud and increases the bottom line.
3 Are you bridging the evaluation vs execution gap?
If your firm doesn’t have a clear cyber roadmap of where you are going – of top priorities vs nice-to-haves – you will forever languish in the danger zone that exists between knowing and doing.
Conducting security audits, addressing technology disruption (think mobile payments), adjusting for digital currencies (Bitcoin) – none of these prevailing trends are worth your investment if you don’t implement the security that protects their value. I have seen $20,000 penetration-test reports sit on a president’s desk, unimplemented, so long that they practically invited the resulting million dollar breach. You can’t just evaluate; you must have the muscle to act.
If you are uncertain where your firm stands on these three starter questions, you are not alone. Continuing to leave them unanswered, however, will leave you standing alone amid the wreckage, wondering why it took a crisis to make you a believer.
I know, because I have been there myself.
John Sileo will be discussing 'the cyber blacklist: hack-proofing your financial practice (and clients)' at this year's Nucleus annual conference. Find out more and book your place using the link below.