We sat down for a fireside chat with Cheri McGuire, Group Chief Information Security Officer at Standard Chartered Bank, and cyber-psychologist Dr. Mary Aiken, a leading academic focused on the evolving interaction between information technology and human behaviour.
McGuire previously held senior roles at Symantec, Microsoft and the US Department of Homeland Security; Dr. Aiken is an adjunct associate professor at University College Dublin’s Geary Institute for Public Policy and an academic advisor to the European Cyber Crime Centre at Europol.
What are the most significant ways in which cybersecurity threats to banks and FIs are evolving?
Dr. Mary Aiken: Companies across all sectors experience cyberattacks every year. However, the most damaging and continuously evolving security threat comes not from subversive outsiders, but trusted insiders: employees, business partners and contractors.
Insider threat is a notoriously difficult area to predict from a forensic profiling and risk management perspective, largely due to complexity of motive and variable presentation of criminal intent. Insider threat can be considered as an overall typology comprised of two sub-profiles: negligent or inadvertent insiders; and intentional insiders, for example, malicious, colluding and or disgruntled insiders.
Understanding human motive manifested in technology-mediated environments is of prime importance in terms of tackling insider threat. Investment in 'cyber psychometric' testing methodologies is critical for the financial services sector. Given that human behaviour can mutate or change in cyber contexts, it is essential for institutions to know their employees in a real world context and to know who they are online.
In what areas should banks and FIs be looking to improve their cybersecurity strategies?
Aiken: Banks and FIs need to develop ‘cyber situational awareness’, that is, become more cognisant of the ever-evolving ecosystem of cyberspace, and the impact of that environment on human behaviour. As noted in my recent paper on this subject, NATO has officially recognised cyberspace as a domain of warfare. The premise being that modern battles will be waged not only on land, sea and air, but also on computer networks.
This paradigm shift has implications for industry and for the financial services sector, particularly concerning domains such as Darknet markets on the deep web that have been specifically designed to facilitate criminality, driving the digital underground economy, providing a wide range of criminal commercial services and tools, enabling a broad base of entry-level cybercriminals and avoiding surface net traceability. At Europol, we describe this phenomenon as CaaS: 'crime as a service'.
What are the key ways to build and maintain a strong risk culture in a large, complex financial institution?
Cheri McGuire: Everyone from the board to the frontline has an important role to play. An organisation’s risk culture is a mixture of formal and informal processes such as policy frameworks and governance models, and a blend of behaviours and habits such as how we conduct ourselves, apply integrity to our daily work and behave securely.
As part of my responsibilities for a healthy risk management culture, one of my key priorities is to strengthen the bank’s security culture, by putting regulatory and compliance standards – and a culture of secure conduct – clearly in the forefront. Examples of processes that help to build and maintain a strong risk culture include: well-defined and communicated processes to escalate concerns, conduct issues or incidents; consistent and visible role-modelling of desired behaviours by senior management; and rewarding secure behaviour that encourages people to ‘do the right thing’.
Ultimately, we need to ensure that every employee is aware of the day-to-day risks, is clear on their role in keeping client data secure, and how their actions and choices can mitigate, or increase, those risks. This would help mitigate the insider threat from ‘inadvertent insiders’ that Mary has mentioned.
How should banks and FIs address the need to raise cybersecurity risk awareness across staff in different roles?
McGuire: While it’s crucial to create a culture where everyone takes security seriously - using sustained security training and awareness – organisations also need to frame security “in the language of the business” so that it doesn’t mistakenly get considered just a “technology issue”.
Standard Chartered approaches cybersecurity as a principal business risk, which means focusing on the needs of the entire business and ensuring security training supports overall objectives. We need to make it real for staff; for example, by curating a retail banking training session that addresses branch-level issues such as handling confidential documents or helping corporate banking employees to encrypt emails. In parallel, we drive the “tone from the top” via board-level training and executive engagement.
There is a risk of adopting a “tick box” approach, setting training programmes to meet compliance requirements. Just as we don’t get fit by going to the gym once a month, firms must deliver training and awareness in engaging ways to get people really thinking about risks. The ever-changing threat landscape and the vastly differing roles of employees need to be regularly assessed to ensure all threats are reflected in training programmes.
Finally, firms need to focus on actual risk versus adopting a blanket approach. Metrics can identify areas that require improvement and highlight high-risk employees and roles that need additional guidance through clinics, online mini modules or hot topic videos. Phishing simulations, employee surveys and physical checks of the work environment can all measure the effectiveness of security awareness programmes and help tailor future initiatives.
This month we celebrate International Women’s Day. You are in the very male dominated field of tech and security. What are the most effective ways of achieving greater diversity in your field?
McGuire: It is important to attract talent from multidisciplinary areas, in addition to those with deep technical expertise, because cybersecurity is a business-wide problem. Drawing on a diverse pool can bring a more well-rounded approach to critical thinking and problem solving. Staff with a natural aptitude in skills such as psychology, problem solving and communications can provide insight, perspectives and further advantage within cybersecurity teams, especially in roles such as policy, governance and awareness.
In terms of gender diversity, the numbers need improving. The 2017 Global Information Security Workforce Study (GISWS) Women in Cybersecurity report suggests women comprise only 11% of the cybersecurity workforce and earn less than men. Only 30% of STEM professionals are women. Women are asked four times more in interviews to prove their accomplishments than men (meaning they frequently don’t get the role they deserve). According to McKinsey, equal female participation in the economy could add as much as 26% to annual global GDP in 2025. Companies with 30% of female executives are up to 6% more profitable, boards with a higher percentage of females outperform by up to 36%.
In all firms, staff diversity leads to diversity of ideas and avoids the risk of creating an echo chamber. In cybersecurity specifically, there is an additional need for diversity, presented by the wide variety of motivations and backgrounds among threat actors.
What are the most effective ways of achieving greater diversity?
McGuire: Change is rarely easy. Delivering diversity requires people to have uncomfortable conversations about topics they may know little about. It starts with education. Organisations must provide the opportunity to talk openly about diversity and inclusion, and platforms for change. Leaders need to be held accountable and measured on the diversity of their teams. You can take small steps, such as ensuring you have one woman on every interview panel, one woman in every final candidate pool, and changing unconscious bias language. Mentoring programmes can help, but we also have to be conscious of the language we use around “targets”, which can reinforce behaviours and beliefs that are anathema to a gender-inclusive environment.
What are examples of good practice in keeping staff aware of evolving cybersecurity threats?
McGuire: We can no longer rely solely on technology or security professionals to keep data, assets and infrastructure safe. Instead, we must adopt a ‘what’s-in-it-for-me’ (WIIFM) approach that shows employees the benefits of behaving securely (tell their stories, assign them digital points, set up leaderboards) and the risks of failing to do so (e.g. performance reviews, incidents and events, disciplinary action). The key is encouraging personal responsibility for cybersecurity, from making it easier to report phishing emails to improving employee awareness in their home lives.
We should also move beyond “Do’s and Don’ts” to “why”, explaining the lifecycle of a data incident and how it can cause reputational, financial or operational damage. Through targeted training – for example using case studies from new security events, stress tests and attack types – we can stimulate staff to become security agents, rather than just feeling obliged to follow procedure. Further, appointing cybersecurity champions in business units can spread awareness, helping cybersecurity to be viewed as a team sport.
How better can banks and FIs collaborate with each other and regulators / security agencies to tackle cybersecurity threats?
Aiken: Many institutions and agencies focus almost exclusively on analysing technical and mechanical aspects of cybercrime and cybersecurity breaches; for example, dissecting malware and exploit tools, or analysing code and techniques. Few focus on social and psychological aspects of cybersecurity attacks, addressing the “who” and the “why”.
As a cyber behavioural scientist, I would like to see greater collaboration between banks, FIs, agencies, regulatory authorities and academia to factor the human back into the cybersecurity equation. This would help us to understand cognitive, physical, behavioural, physiological, social, developmental, affective and motivational aspects of the behaviour, with a view to mitigating risk and/or staging intervention.
How should banks and FIs deploy new technologies to improve efficiency and effectiveness of their cybersecurity defences?
Aiken: More than 90% of breaches can be attributed to successful phishing campaigns, therefore the ‘human endpoint’ arguably provides the highest security risk in any financial institution. Training programmes that highlight the range of cybercrime threats and how to respond to them can be used to increase employee knowledge and response protocols. To date, training tools such as PhishMe (now rebranded as Cofense) have had some success in terms of psychologically conditioning employees to recognise and report phishing attacks. Future evolutions of these types of technologies will no doubt involve building artificial intelligence capabilities into platforms to make it even easier to recognise and defend against social engineering attacks at scale.
This article was also published in Bankable Insights Issue 10