In the battle against cybercrime, investing in people is just as important as investing in technology.
Cybercriminals are increasingly targeting individual bank employees to get access inside the organization, observers say. To protect their institutions, bank executives need to instill cybersecurity into their cultures.
"Unfortunately it's not just a case of having better technology, or just installing a smarter firewall and it all goes away," said Chris Thompson, a managing director in the finance and risk practice at Accenture, which recently issued a report on the topic. "People are often the weakest link, whether that is the bank's own employees or third-party vendors." Cybercriminals "are increasingly using social engineering to steal people's credentials."
Financial institutions are facing even more cyberattacks than usual, according to data from the security technology company ThreatMetrix. The firm said it detected more than 21 million cyberattacks against the financial industry in the fourth quarter of 2015, 40% more than a year earlier.
Much of this increased activity reflects the recent spate of high-profile data breaches, which have in turn led to even more cybercrime, said Alisdair Faulkner, ThreatMatrix's chief product officer.
"Just like where you have a huge firestorm and it keeps feeding itself, data breaches turn into more account breaches and it becomes a cycle," he said. "Unfortunately it is one that is accelerating. The downstream fraud attacks are increasing due to the data breaches."
Faulkner agreed there has been an increase in social engineering aimed at bank employees and in "criminal gangs that are infiltrating banking organizations."
For bank employees, that means understanding that anything put out that is publicly available, such as on social media, can be mined by cybercrooks for information that could help them attack the bank, Thompson said. For example, criminals could troll Facebook or Twitter looking for insights based on things people like or frequently discuss.
And it's not just new tactics like social engineering, but old fraud standbys that attackers use to get at bank employees.
"Email phishing scams have been around for a while, but recent surveys show some people will still click on the link" in the fraudulent email, Thompson said. "And these phishing emails continue to evolve and appear more like something legitimate."
To combat this, Thompson said banks must adopt a comprehensive and top-down approach to cybersecurity. Just going through "the annual security training" won't cut it anymore, he added. Cybersecurity needs to be an initiative spearheaded by the board and executives, not just delegated to the chief information security officer and forgotten about.
"It's amazing how many banks still think of this as just a compliance exercise," he added. "In a lot of cases it's still driven by the CISO and out of the tech organization, but banks need to think more broadly."
But for many banks, when it comes to fraud, each line of business conducts its own fraud monitoring, Faulkner said. Banks need to take a more holistic, enterprisewide approach.
Thompson agreed, saying the "fractured" way banks manage fraud needs to be reimagined.
"It's a difficult way to fight cyber risk" he said. "People who are trying to break in really don't care how they break in, they just want to get in."
The digitization of banking has upped the ante, says Frank Sorrentino, the chairman and chief executive of ConnectOne Bancorp in Englewood Cliffs, N.J. For all the benefits of technology, it has given cybercriminals more turf to canvass for a way into the organization. Sorrentino said he tries to lead by example for his organization.
"We need our people to understand that we have to consistently upgrade our game at every level, not just read the policies and check off a box," Sorrentino said. "Every time you open your email, every time there is a request — every interaction is an opportunity for you to be susceptible."
Besides getting buy-in from management on promoting good cybersecurity practices, banks are constantly looking for ways to make sure employees understand their role in protecting the organization.
"Given how dynamic cyberthreats are, continual training of the information security workforce is paramount," said Jason Witty, the CISO at Minneapolis-based U.S. Bank. The company supplements the annual training, the company has monthly 'phish testing' of all employees.
An information security chief at one of the largest U.S. banks, who did not wish to be identified due to the nature of the topic, also said employees there undergo training similar to that used by workers at federal agencies who deal with sensitive data. The bank's employees also are subjected to mock phishing scams to see how they respond.
"The human element will always be the weakest link in the chain; you can put in all the technology in the world, but there is still a human element," the executive said. "The bad guys are realizing by targeting particular groups or individuals, they can then more easily move laterally through the environment. "
Sorrentino declined to describe specific exercises that the $4 billion-asset ConnectOne uses, but he said employees are regularly tested.
"There are certainly a lot of things we do to make sure everyone is on their toes," Sorrentino said.
Robert Barba contributed to this article.
- Banks Should Worry About the Apple Security Case
- Many Advisors Get Failing Grade on Cybersecurity
- SEC Cracks Down on Bad Actors in Retirement Space