We are all well aware of the pandemic-driven global shift to remote work, and the financial industry is unsurprisingly not an exception to the rule. But a report by Interpol showed that cyber fraud significantly grew since the start of the pandemic as well, with the financial industry emerging as a top target of criminals. I had the opportunity to interview Richard Verbrugge, Information Security Awareness Manager of International Bank ABN AMRO, about some of the top cybersecurity challenges facing the financial industry today.
Their biggest threats are ransomware and supply chain attacks. Those attacks often start with a malicious email, so an important focus area for employee awareness training remains email.
Over the past year, email volume sent to financial institutions rose by 81%. Meanwhile, social engineers redoubled their efforts to exploit the pandemic, specifically in the form of phishing and social engineering attacks, the most prevalent form of cybersecurity fraud in the financial industry, and for banks in particular. This rise in email attacks has multiplied the cybersecurity challenges facing financial institutions, as breaches can severely impact their brand credibility.
Grasping the importance of high consumer confidence for banks, hackers target the financial industry due to the amount and type of sensitive customer information financial institutions possess. The modern customer has a myriad of banks to choose from, contrary to the brick-and-mortar days where one town had one bank, and brand image was not a widely valued concept. But in today’s business climate, a breach can drive customers to move their banking somewhere perceived as more secure.
Interview with Richard Verbrugge, Information Security Awareness Manager, International Bank ABN AMRO: Phishing attacks and digital transformation
Online banking has been around for more than two decades, but the pandemic accelerated digitalisation especially rapidly for banks. Mobile banking traffic has skyrocketed since the start of the pandemic, which contributed to a much stronger reliance on online systems, both within the organization and from the side of the consumer.
One of the key insights Verbrugge shared was that cyberattacks have heavily increased not only in volume during the pandemic, but in their sophistication as well.
“The pandemic provided psychological fuel for phishing attacks by cyber criminals, who do not shy away from defrauding people by using taboo subjects such as death or unease over the covid vaccine in their carefully crafted email threats,” said Verbrugge.
The phenomenon in which phishing is purposely deployed as a method to abuse a company’s brand is called “Brand phishing.” This sophisticated form of phishing, in which a trusted brand is spoofed in an email for malicious purposes, is primarily targeted at the customers of large financial institutions. Brand phishing has become more common than ever before. Banks are worried that their strong brand name will be misappropriated in malicious emails and social engineering attacks on customers. Having your brand abused by cyber criminals in a phishing campaign can lead to reputational damage.
“The need for security awareness training is compounded in the financial industry because cybercrime is often financially motivated,” said Verbrugge.
Another point he emphasized is that the digital ecosystem has significantly changed recently.
“Networks have become much more extensive and complex in nature, and consist of an intricate combination of office suites, cloud platforms, BYO, social networks and developer platforms,” said Verbrugge. “This complex set-up widens the attack surface and opens vulnerabilities, resulting in increased challenges to protect the network. But email remains the largest attack vector.”
With multiple banks moving into the next phase of digital transformation, digital resiliency has become more important than ever. Verbrugge stated that customers today are using more digital platforms, and their behavior shift increases day by day. Customers are increasingly online both night and day, and they expect 24/7 access to their bank website with optimal functionality and security.
In the financial sector, security is a value-add for consumers. For financial institutions, strong security has become a competitive advantage.
The financial sector faces unique challenges in building cyber resilience and staying ahead of cyber risks. Banks must combat cyber threats as they take place while maintaining faultless service to customers, all while adhering to regional regulations. For banks to be successful in the new age of strict requirements and mounting regulations to deal with complex digital threats, cyber resilience is not solely about limiting the potential damage of the attack itself – it is about maintaining a reputable brand image and a strong core product for the customer.
With over 90% of breaches containing a human factor, it’s clear that cybercriminals strategically focus phishing attacks upon employees. Therefore, employees can be considered the first line of defense in a cyber-attack.
“An alert and focused employee can prevent the many disastrous outcomes of a cyber attack,” said Verbrugge. “It’s particularly important for employees to take the time to actively report suspicious-looking emails to the security operations centre so potentially harmful links can be blocked in an instant, malicious websites can be taken down, and damage from a clicked link can be mitigated. Security awareness training and good cyber hygiene strategy plays a vital role in encouraging this behaviour.”
How do you implement a security awareness training program that works?
It takes time and money to achieve cyber resilience, but that investment pays off when considering how the costs of successful phishing attacks can impact the company. Brand phishing attacks can lead to short-term financial loss as well as long-term brand damage. A report by Deloitte stated that 1 USD spent on cyber resilience could potentially lead to the prevention of 5 USD on future damage of a cyber-attack.
To achieve cyber resilience among your employees, it is essential that security awareness stays within their peak attention span. Continuous learning will help people stay more engaged, and therefore more likely to recognize and report phishing attacks.
They must feel a sense of buy-in. This can be supported by personalized micro-trainings that engage employees with content imbued with positivity and which does not consider employees as a burden in cybersecurity risk. Optimal resiliency at a company-wide level is necessary to successfully maintain a strong brand image in the age of digitalization.
Explore case studies
- Ordermark Built To Last With Foundational Cybersec Awareness
- How Neles Boosted Threat Reporting, Response And Remediation
- Sparebanken Vest: From Cybersec Awareness Towards Engagement
- How agricultural technology leader, Kverneland Group sewed awareness training and reaped resilience
- How Swiss aviation company, Pilatus reached new cybersecurity heights with Hoxhunt as their co-pilot
- DocuSign and the psychology of behavior change for cybersecurity training with Hoxhunt
- Subscribe to All Things Human Risk to get a monthly round up of our latest content
- Request a demo for a customized walkthrough of Hoxhunt