Alan Levine | October 13, 2017

Cybercrime: How RBS fought back

Royal Bank of Scotland brought down click rates on simulated phishing emails from 47% in August 2016 to 22% in October 2016

Cyber-crime is growing exponentially. At the end of last month, Gemalto’s Breach Level Index found that there had been 918 reported data breaches leading to the exposure of 1.9 billion data records worldwide. These statistics represent an increase of 164% from last year. This is a clarion call for better cyber defence, and why Cyber-Security Month (i.e. October) is so important. Raising awareness of cyber-crime and, perhaps even more importantly, demystifying it for those who don’t work in cyber-security or IT is important because it really is everyone’s problem.

No one is safe from the threat of cyber-attacks, but the financial services are one of the most vulnerable sectors, with banks arguably an especially lucrative target. We can clearly see this with the DDoS attack on Lloyd’s Bank where criminals stole more than $1bn from banks between 2013-2015.

recent survey of senior professionals working in retail banks, investment banks and asset management firms found that 44% of those surveyed saw evolving criminal methodologies, namely cyber-crime, as the largest crime-related financial risk to their businesses. The survey found that 87% of organisations feel their businesses aren’t able to enhance their technology fast enough to fight back against evolving cyber-crime. But, a lesson that we’re increasingly learning is that technology isn’t the only answer. No matter how much technology you have in place defending your organisation’s network, if a user clicks on a malicious link or opens a malicious file, the cyber-criminals have found their way in.

Our research has pulled up some concerning statistics about end-users in finance. Our State of the Phish Report found that, in insurance, there is a 20% click rate on consumer based simulated phishing emails and a 17% click rate on commercial based simulated phishing emails.

Furthermore, our Beyond the Phish Report analysed different industries’ general cyber-security knowledge and, on average, those working in finance answered 21% of questions incorrectly.

It’s  impossible to reduce click rates to 0% but in industries like the financial sector where huge sums of money and a plethora of people’s incredibly sensitive details are at stake, the fact that these percentages are in the double figures is simply not acceptable.

A really interesting recent example, which has been dealt with in a very forward thinking manner by the US Congress, is Equifax. Credit company Equifax exposed Personally Identifiable Information (PII) from 145.5 million customers due to what Congress termed a ‘lax attitude’ to protecting consumers’ data. It’s really interesting that while the ex-CEO of Equifax Richard Smith blamed both ‘human error’ and ‘technology errors’, Congressman Frank Pallone didn’t recommend that Equifax up its security technology bur rather claimed that, “… its entire corporate culture needs to change to one that values security and transparency”. Starting to see why cyber-security month is so important?

‘Lax attitudes’ are a huge part of the reason why cyber-criminals are so successful, and this can be challenged by cyber-security awareness and training from the ground up to the board. No one should be exempt. Employees should be a vital part of every security strategy because if technology fails, they’re the organisations’ last line of defence.

People as the Last Line of Defence

As a former CISO of a Fortune 500 company, I’m one of the many cyber-security professionals that learnt the hard way that you can’t rely on technology to protect your organisation against attack. Cyber defence technology is complex and expensive and is especially designed to thwart the next attack – but, the data doesn’t lie. Cyber defences aren’t perfect because hackers will always find the weakness and exploit it. And when this happens it will be up to the user to make the right choice: click on a link or don’t. It was a simple click that brought my previous company’s heavily fortified cyber-security defences to its knees.

We need to understand that all computer users are the fulcrum of the current and expanding cyber storm, and that there are steps we can take toward threat mitigation and damage containment. One of the most important pieces of advice that I can give is that we should crystallise our confidence that users will do the right thing if they know the right thing. It is a C-Level responsibility to focus on elevating user understanding of threats so that everyone appreciates their role in cyber defence.

End user focused: The Royal Bank of Scotland

As I said before, no one is perfect. But, there are certain steps that forward thinking organisations are taking that are positioning them as cyber-security leaders. The Royal Bank of Scotland (RBS) is one such organisation.

RBS saw that they were experiencing an increase in ‘drive by’ malware entering their system via email. So they implemented an ongoing and effective security awareness programme to improve the bank’s 80,000 email users’ cyber-security skills. RBS initiated the training project in February 2016 and the results were staggering, with employee click rates on simulated phishing emails plummeting from 47% in August 2016 to 22% in October 2016. Today, RBS are operating at a click rate of under 10% and are showing that banks can, and will, fight back.

Cyber awareness programmes are the key to unlocking user sensitivity. Educating users on what to do and what not to do should be a fundamental element of every enterprise cyber security programme. The alternative is clear: If we don’t raise awareness, if we don’t appreciate the key role users play in cyber defence, and if we fail to train our users as frontline soldiers in our cyber defence programmes, then those initiatives are bound to fail.

And when cyber defence programmes fail, our users fail us and we fail our users. Then, in time, each of us will sadly be among the next cyber security statistics.

Alan Levine is Security Advisor to Wombat Security