Just a few weeks ago, Tesco Bank became the latest financial services firm to suffer a cyber-attack, with £2.5 million stolen from 9,000 customer accounts. However, this problem isn’t limited to Tesco; a Freedom of Information (FoI) request has revealed that all of the UK’s major banks and lenders have suffered a data breach since 2013. Whilst the original source of these threats is usually external, it’s insider carelessness and end-user security fatigue that black hats often take advantage of to compromise banking systems.
The U.S. National Institute of Standards and Technology (NIST) recently branded this a major threat. That risk is felt especially heavily in the financial services industry, where the rise of digital banking has connected our cash to the web, giving cybercriminals a direct route into the bank vault from the comfort of their armchair if they can breach its cyber-defences. Security fatigue is making that task increasingly easy; people often opt for easily-guessable passwords, or are tricked by phishing scams that install key-loggers to capture security information from their devices.
Paying the price for their mistakes; users take the blame for breaches
Unfortunately, attempts to control user behaviour and stop them from making these mistakes are backfiring, leading them to make even more risky decisions. Better education and awareness-raising certainly has a role to play in solving this issue, but ultimately, we must realise that humans will always make mistakes. We should stop trying to make people paranoid and expecting them to act like machines. Instead, we can put in place measures that will protect our digital banking systems and financial data, no matter who’s sitting in front of the screen and what mistakes they make.
Cyber-fatigue is often a result of the fact users are increasingly bombarded with alerts and forced to remember countless passwords for online accounts; it’s exhausting having to be constantly on guard against a never-ending barrage of threats. This resignation and loss of control can lead many to behave impulsively, ignore best practice advice and choose the easiest option available to them, which is usually not the most secure.
In the workplace, this becomes a major challenge, especially considering the range and volume of threats facing financial services organisations, which are a highly lucrative target for cybercriminals. Bank staff should be the first line of defence, but too often they are the weakest link. It takes just one click of a mouse by one employee to accidentally open a malware-laden attachment or follow a malicious link, and there are plenty of opportunities to do so these days. This is a significant problem - Verizon’s DBIR 2016 revealed that nearly a third (30%) of phishing emails get opened and 12% of users go on to click on the attachment or link.
Stop shaming end users; provide security that gets them back to work
There’s a risk that the constant scaremongering around employees’ mistakes leading to security breaches could cause paranoia that impacts their productivity. Ultimately, if people are too scared to do their jobs for fear of what they might unwittingly unleash, the business will suffer.
We need to understand that users will always make mistakes and attacks in any case have become increasingly difficult to spot. Targeted spear phishing campaigns would trick all but the most eagle-eyed employee, as we’ve seen from cases of CFO and CEO ‘whaling’ fraud. You can’t stop your marketing team from using Twitter, or ban the finance department from opening audit reports sent via email. That’s a sure-fire way to harm productivity, add to your users’ security fatigue, and introduce the unwanted risk of Shadow IT.
CISOs in financial services firms therefore need to look at where the latest technologies can help to complement the people and process improvements they are making. For example, huge leaps have been made in the use of micro-virtualisation in security, which can help to reduce the bank’s attack surface. By running every workload in its own isolated environment, users are free to make mistakes and behave insecurely without fear of the consequences.
Why so cavalier? Because every time a malicious piece of code is encountered, it is fully contained on the micro-VM – unable to spread or cause any damage. When the app is closed, the VM disappears, terminating the malware. No remediation is needed, there’s zero dwell time, and emergency patching becomes a thing of the past – freeing up stretched IT teams to concentrate on more important strategic tasks, like delivering the next online banking revolution.
Allowing end-users the freedom to click without fear of the consequences fosters speed, innovation and learning. This in turn is likely to reduce security fatigue: creating a win-win for everyone from the CEO, to the bank-tellers behind the counters in its branches.