As cybersecurity threats continue to evolve, banks and financial institutions are constantly looking at ways to best tackle cybercrime. Every year, companies across all sectors experience cyberattacks. However, according to Dr Mary Aiken, a leading academic focused on the evolving interaction between information technology and human behaviour, the most damaging and continuously evolving security threat comes not from subversive outsiders, but trusted insiders: employees, business partners and contractors.
Insider threat is a notoriously difficult area to predict from a forensic profiling and risk management perspective, largely due to the complexity of motive and criminal intent. Understanding human motives when manifested in technology-mediated environments is of prime importance to tackling insider threat. Given that human behaviour can mutate or change in cyber contexts, it is essential for financial institutions to know their employees in a real-world context and to know who they are online.
Building and maintaining a strong and diverse risk culture
Everyone, from the board to the frontline, has an important role to play in mitigating insider threat. Apart from building and maintaining a strong security culture in which everyone takes security seriously, Cheri stresses that organisations also need to frame security “in the language of the business” so that it does not mistakenly get considered just a “technology issue”. Organisations cannot rely solely on technology or security professionals to keep data, assets and infrastructure safe. Instead, they must adopt a holistic approach that shows employees the benefits of behaving securely and the risks of failing to do so.
"Shared responsibility is a key theme in creating a strong culture in cybersecurity"
Diverse threats demand diverse solutions
In all organisations, it is important to attract talent from multidisciplinary areas. In cybersecurity specifically, diversity is essential, because of the wide variety of motivations and backgrounds among threat actors. Drawing on a diverse pool can bring a more well-rounded approach to critical thinking and problem solving. Employees with a natural aptitude in skills such as psychology, problem solving and communications can provide insight, perspectives and further advantages within cybersecurity teams.
On top of increasing diversity across cybersecurity teams, there is also room for greater collaboration between banks, financial institutions, agencies, regulatory authorities and academia to factor the human back into the cybersecurity equation. Currently, many institutions and agencies focus almost exclusively on analysing the technical and mechanical aspects of cybercrime and cybersecurity breaches – for example, dissecting malware and exploit tools, or analysing code and techniques – but few focus on social and psychological aspects of cybersecurity attacks, addressing the who and the why.
"More than 90 per cent of breaches can be attributed to successful phishing campaigns, therefore the ‘human endpoint’ arguably provides the highest security risk in any financial institution"
Ultimately, the key is encouraging personal responsibility for cybersecurity, from making it easier to report phishing emails to improving employee awareness in all aspects of their work and home lives. Organisations need to ensure that every employee is aware of the day-to-day risks, is clear on their role in keeping client data secure, and how their actions and choices can mitigate, or increase, those risks.
To read the full interview, please download our Bankable Insights newsletter below.