Whatever news the cheery Monday morning email passes on from the C-suite to the ground troops, everyone needs to make sure they absolutely, positive know who sent it. In fact, it’s paramount. All things being equal, the conscientious employee who opens and responds to that email right away can create a huge problem—especially if it came from someone in the pseudo-C-suite, oceans apart geographically and ethically.
If that sounds like an external threat—and on its face, it is—what the staffer does counts as an internal gaffe that only adds to the risks financial institutions face every day.
There are some very good reasons why the financial industry spends hundreds of millions of dollars every year on cybersecurity. A 2018 study by the International Monetary Fund shows that cyber threats cost financial institutions between 10 and 30 percent of their net income.
Most result from employee actions, according to a study last year by Wilson Towers Watson, a risk management firm that works with the financial industry.
So what avoidable errors do employees make? And how can financial institutions prevent them? Good questions.
"In financial services, even after significant investments in technology capabilities, we continue to see incidents of fraud that have led to significant monetary loss; harmful phishing attacks that have targeted CEOs and CFOs; and confidential information released due to human error,” says Ertem Osmanoglu, the Americas financial services cybersecurity and privacy leader at PwC.
Osmanoglu cites these five cybersecurity mistakes as the most common to the financial services industry:
1) Business emails compromised through targeted phishing attacks.
“These happen through fraudulent emails that entice employees to click on a link that triggers the installation of a malicious program—or respond to emails that appear to have come from a trusted source, such as a senior executive encouraging employees to respond to an urgent request,” he says. “For example, a senior executive may appear to ask employees in an email to transfer funds for an urgent deal into an authorized account.”
2) Browsing a legitimate website and unknowingly clicking on a rogue, malicious ad that installs malware on a company laptop or desktop.
3) Letting sensitive data roam outside the workplace.
This occurs when employees transfer data to their own devices, a mistake that compounds when they’re exposed to free WiFi hotspots. Or, when workers share USB sticks that pick up malware and then spread it from one infected computer to another.
4) Plugging unidentified or unscreened devices into any machine on the network.
5) Using the same password across personal and corporate accounts. A hack to your account then spreads to the bank’s systems, sometimes within minutes.
“Many of these attack scenarios can be prevented by training personnel and establishing a company culture where all levels of an organization understand their responsibility for cyber risk,” says Osmanoglu.
There are other mistakes to consider, experts say.
Social media and social engineering hacks.
Banking counterparties, exchanges and brokerages operate on a trust level, says Luca Lin, acting chief technology officer for the Domeyard hedge fund. “If you want to place a trade, just call them up and sometimes you hardly need to prove your identity,” he says.
How do thieves do it? It’s as simple as scooping up what employees leave out in the open on Facebook, LinkedIn and more. “We've put quite some attention to what our employees make known to the public through especially their LinkedIn profiles—which can give away valuable information for an attacker to compromise us via social engineering.”
Improper usage of encryption
“Many means of encryption require you to transmit a public key, password, etc. through a secure channel, or at least have that be verifiable through a trustable channel,” says Lin. Sometimes “service providers or counterparties require us to use their encryption passwords or third-party encryption services, or send us an encrypted zip file, then simply send us both the encrypted file and password in just two separate emails.”
Erroneous belief that their firm’s IT infrastructure make them impervious to cyber threats while at work or using work devices.
“Cybersecurity continues to be a top operational risk concern for all industries, including financial services,” says David Wallace, global financial services marketing manager at SAS, a banking and financial industry analytics firm.
“Perhaps this is why Willis Watson Towers reported that nearly half of surveyed employees indicated that it is safe to open any email on their work computer, and about 40 percent use a cellular device or work computer to access confidential information, even on unsecured public networks,” Wallace notes.
Bank employees too eager to please bosses and not aware enough of what to do in the wake of a breach create problems, says Bill Repasky, a member of legal firm Frost Brown Todd’s financial services litigation team and former in-house counsel for National City Bank.
He lists the following as examples:
Volunteering superior customer service that conflicts with the bank’s treasury management’s stated security procedures. A related issue, Repasky says, is failing to follow and identity verification and authentication procedures when customers communicate with bank employees for customer transactions.
Giving over-ambitious service to senior management, when email requests are received. This is sine qua non for most business email compromise attacks.
Unfamiliarity with the changing data breach duties.
As for the good news, PwC’s Osmanoglu says: The financial services industry is learning from employee mistakes.
“Leading financial sector organizations are budgeting more to address these challenges and common mistakes, according to key findings from PwC's Fall 2018 Digital Trust Insights survey,” he says. “Among respondents from the financial services sector, 48 percent said they plan to increase spending over the next year on security training and education among employees, and 54 percent said they plan to increase spending on malware detection and prevention measures."
Just one thing: If that “good news” comes to you by an email with some grammar mistakes and asks you to, say, check on the budget figures, don’t open it. Or click on any links.
That would be bad news.
Want more Banking Strategies? Sign up for our free newsletter!
Howard Altman covers the military and national security for the Tampa Bay Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and many other publications around the world.