Human error by way of a relaxed online attitude is a significant factor driving the global cybercrime threat and needs to be addressed urgently alongside technology failings, says the Chartered Institute for Securities & Investment (CISI).
According to statistics from The Risk Management Group, 160 million phishing emails were sent globally daily in 2015 – 10% of these (or 16 million) penetrated conventional spam filters. However of these 16 million, half (8 million) were read and a surprising 10% of people who read the emails (800,000 people) then clicked on links, so potentially allowing malware and virus into their computer network. Frighteningly, 10% of people (80,000) then provided personal data.
The CISI, the 40,000 strong professional body for securities, investment, wealth and financial planning professionals, is particularly aware of dangers of phishing having fallen victim last year.
“Our own experience of this came via a very realistic phishing email. No key personal information was stolen but it was a wake-up call and emphasised to us that no matter how many levels of software or hardware protection you have in your system, protecting yourself against human errors is much harder as cybercrime does not respect rank, “ said Simon Culhane, Chartered FCSI and CISI Chief Executive.
“No matter how up-to-date and tight your firewall online security systems are, if your staff are not trained and fully aware of the type of online scams and email phishing threats which exist, they could ultimately be your weakest link in the fight against cybercrime”, said Mr Culhane.
The not-for-profit CISI looks upon this breach as a learning exercise and has strengthened vulnerability assessments, targeted attack simulations and, most importantly, regular training sessions for all staff on cyber security. It has also developed two new Level 3 qualifications: Managing Cyber Security and Combating Financial Crime, with the aim of promoting understanding amongst staff within the financial services industry globally, but also SME’s across sectors, of the risks from cybercrime.
“We’ve developed these two new qualifications, to help our member firms and others, to address the need for staff awareness,” said Mr Culhane.
However, Managing Cyber Security is particularly relevant to businesses of all shapes and sizes, especially SMEs globally. SME’s are particularly vulnerable to cybercrime: the Federation of Small Businesses 2016 report showed that 66% of small firms had been a victim of cybercrime in the past two years, costing each business almost £3,000 in total.
”The CISI’s introduction of the two new examinations in this field is a welcome initiative to help firms large and small increase awareness amongst staff of these daily threats,” said Professor Barry Rider, Jesus College Cambridge, Founding Director and Co-Chairman of the Cambridge International Symposium on Economic Crime.
CISI is supporting the 2016 Cambridge International Symposium on Economic Crime in the UK now in its 34th year, by holding a special stream at the Symposium, on Friday 9 September 2016. The stream will focus on where individual responsibility lies in handling financial crime – both traditional and cyber, with a focus on the new accountability regime.
“We, like many UK businesses, have a global operation, so ensuring every individual across our international operation has been trained to know what to look out for, is critical. Simply delegating the responsibility to IT, compliance or risk departments is not good enough as the human factor plays a key role in risky online behaviour.
“A lack of understanding of, or a blasé attitude to, cyber threats on the part of staff is a dangerous complacency which could result in relaxed online behaviour. All employees should be vigilant at all times.
“Organisations can fight and prevent such incidents by building awareness internally and educating staff,” said Mr Culhane.
This is a theme echoed by Andrew Gracie, Executive Director, Bank of England: “Cyber is not just about technology. People matter. More often than not attackers may seek to exploit potential weakness in personnel, to establish a bridgehead for attacks. It is therefore essential that firms have the right arrangements in place so that all staff understand cyber risk and their responsibilities for information assurance.”
The financial sector suffers the most attacks, with 300% more than any industry, according to a 2015 white paper by cyber security firm Websense (now known as Forcepoint after a recent merger with Raytheon and Stonesoft).
The UK government’s 2016 Cyber Security Breaches Survey found that seven out of ten attacks on all firms involved viruses, spyware or malware. It also noted that while one in four large firms experienced a breach at least once a month, only half of all firms have taken any recommended actions to identify and address vulnerabilities.
On the back of this research the UK government also announced the launch of a new National Cyber Security Centre in autumn 2016, offering a ‘one-stop-shop’ for cyber security support.
Victoria Robinson of Slater Investments, who recently sat the CISI Managing Cyber Security qualification, said: “I chose the CISI Managing Cyber Security qualification as cyber security is an increasing issue which affects all industries and is detrimental to financial services. It has helped me review and implement new policies to help protect our business. It has supported me in creating training for all staff so that they are aware of the threats and what they can do to help prevent cyber-attacks and breaches.”