As many of the businesses in the financial sector are dealing directly with other people’s money, phishing naturally has the attention of the sector.
What does the survey show?
The survey shows that phishing/malware (e.g. social engineering) is considered the biggest cyber risk among the businesses in the financial sector. Half of the respondents have ranked this as the number one risk. The second biggest risk is, according to the average ratings, technical vulnerabilities in applications and infrastructure, and the third biggest risk is data leakage/data integrity.
Q: Rank these cybersecurity threats from 1-6, with 1 posing the greatest threat to your business and 6 being the smallest
It does not come as a surprise that phishing is considered the number one cybersecurity risk by financial businesses. Phishing has been an effective channel for cyber-attackers, either as a means to introduce malware into an organisation’s systems or directly leading to fraud via transfer of funds, e.g. using unsuspecting consumers’ bank-account details. The latter is somewhat specific to the financial sector, and it has been a focus area, especially for the banks, for several decades now.
The bigger picture
Towards behavioural change
Regular phishing tests of employees followed by awareness training – and repeating this in a regular cycle – is the traditional practice to prepare employees for an eventual phishing attack. This may not be sufficient though. A more comprehensive solution is to design a program that addresses different facets of the problem to reinforce user behaviour and use technology to assist them with early warnings, etc. It is also important to identify key employees in the organisation – such as senior executives or administrative users – that may be specifically targeted in a spear-phishing campaign. These employees should be further trained in preventing exposure but also in limiting information they share publicly that may be used in these campaigns.