The world has undergone a huge change over the last year, with much of the workforce shifting to working from home. Homeworking exploded from 5.7% of workers in January 2020 to 43.1% in April 2020, and this brought with it some unique challenges for many technology roles, but in particular for cyber security professionals.
However, home working is not the only challenge that has affected security in the financial sector over the last year as phishing scams have increased dramatically too.
We spoke to three experts in the field of risk about how the pandemic affected their roles, the changing security concerns they have seen, and what they think the future of cyber security in the financial sector will look like.
Liz Banbury began working in the financial sector in 1998. Her career has developed from software configuration, release management and technology project management to security, risk and compliance, and she is now Global Head of Information and Cyber Security Policy and Risk at Standard Chartered Bank.
As workplaces become more hybrid in the aftermath of Covid-19, security systems for those working from home are forefront of many institution’s plans. Whilst many organisations already had processes in place for home workers, the increase in scale has led to a focus on staff training.
“There are people around you at home, people coming in and out. Not everyone is lucky enough to have an office in their house or wherever they happen to be right now. And papers and information might inadvertently get spoken about or left lying about when there’s other people there, which you wouldn’t have to take so much notice of in the office.”
For Liz, the main risks that she believes the financial sector will face in the future are ransomware and phishing. These risks aren’t just localised to the financial sector though – over the last year, attacks of these kind have increased everywhere.
“Data leakage is still one of the top areas that we protect against, because information is so valuable. It’s been a few years now since the attackers, whichever form they take, found out that phishing was by far the easiest way to get that information through credential compromise. And it still is, everybody can see a visible uptick. It’s not the odd occasion in the in the press anymore. Cyber fraud is one of the key problems right now.”
The importance of staff training is also key for mitigating one of the other serious risks for the financial sector – the fact that security breaches do not just come from external attackers, but also from trusted insiders. Be that error or maliciousness, disclosure of sensitive information can come from employees and it is important to have the training and systems in place to reduce this risk.
“It doesn’t have to be from external attackers, it could be by that trusted insider, too. These are all categories of risk that many companies will weigh up when they’re looking at their frameworks.”
Tim Brooks, Head of Security and Resilience at EMEA Sumitomo Mitsui Banking Corporation, began his career in the British Army, where he built his experience in managing risk. After 10 years in the military, he moved into cyber security. His current role encompasses operational resilience, cyber security and insider threats.
For Tim, the biggest uptick in security concerns has been phishing attacks, and this is something that needs to be managed appropriately throughout the sector for companies that intend to continue with a form of hybrid working. The reason behind the uptick may be the disconnect from the office environment.
“Because everybody is now remote, people’s behaviour is a bit different when they’re at home or maybe a bit more risky in terms of what they’re what they’re willing to do just as a mindset. Because you’re in a safe home environment, you’re not being not being monitored, maybe because you’re on your own machine.”
This has led to more people falling for phishing scams. Not only this, but as processes such as document signing have become more commonplace online, the hooks to encourage people to follow links have evolved.
In terms of the future, more possibilities for working from home means more talent in the security profession – and across a variety of roles in general. Although face-to-face time in the office will still be valuable for many, an increased capacity for home working will mean more are happier to travel further distances when they do need to visit the office.
“Certainly for some roles, there’ll be the scope to really throw the net wider. You don’t really need people to actually meet, and you can really cherry pick where you get your expertise from.”
Looking further into the future, teams will look even more different thanks to artificial intelligence and more developments in technology.
“AI is going to become a huge, huge enabler as well. You can get really good efficiency and a high quality team with really great bright people.”
Paul Kelly, Global Cyber Security Professional first worked in cyber during his time in command and battle space management in the Ministry of Defence. After 23 years in the military, he moved into the financial sector, working firstly in operational risk before leading cyber security risk.
The number of attacks on the financial sector is so high because of the potential opportunities for cyber criminals. With both the financial institutions and customers being targeted, managing these risks is a huge task. Working from home has increased these risks, with criminals devising new ways to target employees who are not in the office. These risks need to be managed carefully.
“In my view everyone needs to be part of the security team. The human is always the weakest link, which means we need to educate everyone, as well as designing systems that make it easy for humans to do the right thing, essentially protecting against human error.”
For Paul, being able to successfully mitigate the risks comes down to fully understanding behaviours and how people will act in certain circumstances – for example, employees are less likely to question a suspicious email claiming to be from senior management when they are not in the office.
In the future, cyber security in the financial sector will be more successful if business leaders and the cyber security team can work together in tandem.
“Cybersecurity is it’s not going to go away. One of the classic things I’ve heard is, look, I’ve spent this many millions on it, when’s it going to be done? Well, it’s never going to be done because bad guys are always thinking up new things. One of the sort of things that I’m trying to get people to think about is to stop treating this purely as a risk, and start treating it as a fact of life of doing business in the 21st century, and like everything else digital that we want to be good at, surely we want to be good at cyber? We should be thinking about it in terms of it contributing to our commercial edge.”
Another challenge for cyber security teams in the financial sector are companies that have grown by acquiring lots of different companies, so the technology is a mixture of old and new. Because of this, it is important for security teams to be able to recognise and articulate the threats that are likely.
“I’ve started to become a great believer that all our problems are human problems. Even software problems are human problems, because ultimately it’s a human that has designed the software and written the code.”