The fight against cyber fraud requires a multi-pronged, all-encompassing approach. Guarding against the threats posed by advanced hacking technologies and the criminals that operate these technologies will never succeed without taking into account every strand and thread of a very complex fraud landscape.
Our 2019 SWIFT Cyber Security Survey highlighted a common thread in the fight against fraud: the importance of the human aspect of cyber fraud risk.
As much as the electronic fraud threat is often driven by high tech tools, and while automated tools can deliver a degree of protection, fraud has a distinctly human element. FIs that ignore this human element do so at their peril: attacks are driven by human
s and often depend on human weakness to succeed. Furthermore, humans are often at fault when it comes to prevention, detection and mitigation.
In this article we outline the key human elements of the cybersecurity risk, backed by our 2019 survey results.
A lack of (human) anti-fraud leadership
Any effective corporate endeavour must be driven by strong leadership – it will never succeed otherwise. This is also true in the war against cybercrime.
The EastNets survey highlighted how one in five banks still do not have even the most basic prevention policies in place. In fact, EastNets has completed independent research which has shown that most attacks still rely on basic lapses in security.
Yes, it may be a technology partner or vendor that’s the cause of the security lapse, but too often it is a simple matter of policies – strong passwords, revoking credentials when employees leave and straight-forward physical security.
For example, our survey found that 19% of banks admitted that they do not have adequate measures in place to restrict access to SWIFT systems. These measures will not fall in place autonomously: putting policies in place requires leadership. For the time being at least, this leadership is human in nature and security leaders must be aware of the risks posed by ineffective leadership.
Human co-operation is an essential element of successful risk reduction
One of the biggest challenges FIs face is the sheer complexity of the financial services sector. This is compounded exponentially by the technology that powers banks and other financial institutions.
Cutting through this complexity requires teamwork – one team member alerting another where there is even the slightest cause for concern, and cross-functional collaboration to mount a comprehensive anti-fraud effort.
Yet our survey highlights that only 20% of banks that responded thought that team members collaborated “very strongly” across functions in the fight against SWIFT cyber fraud. In fact, across the survey group, banks stated that what they find most difficult about combatting fraud is the sheer effort it takes to get different departments to collaborate.
As much as technology can prevent some cases of cyber fraud, the complex financial services sector requires strong human collaboration for effective fraud prevention.
Educating employees and customers is crucial
We also found that banks say that they struggle to educate customers on essential anti-fraud measures. For example, one common attack vector involves convincing an employee or indeed a customer that a fraudulent email chain is genuine, with attackers eventually issuing instructions that result in fraud.
Only persistent, ongoing education efforts will ensure that attack vectors that depend on human behaviour lose their punch. No matter how strong the technological measures, or how tight the policies, human fallibility is an unpredictable aspect of cybersecurity. Understanding where human actors are weak spots and education is a key cog in the cybersecurity arsenal.
The insider threat is human
FIs have no choice but to place a degree of trust in their employees – companies can’t do business otherwise. Unfortunately, often the employees FIs trust to get their operations to tick over can turn on their employers.
EastNets found that around one in seven banks reported that SWIFT fraud attempts involved the help of an insider.
Insiders are, of course, in prime position to cause trouble. Employees know a bank’s systems inside out and may very well have the power to circumvent even the tightest of anti-fraud policies. Yet, as we suggested earlier, a lack of policies can make it easy for insiders.
Combatting the insider threat will fail if FIs depend solely on technological solutions. Teamwork, cross-functional collaboration and mitigating the risks one single individual can pose are all essential elements. Given how common insider involvement is, FIs must be vigilant against the threat posed by the humans their operations depend so strongly upon.
Analysing human behaviour is a powerful tool
We suggested earlier that technology on its own cannot act as a comprehensive anti-fraud measure because the human aspect of fraud is simply too central to fighting cybercrime. However, analysing human behaviour using today’s cutting edge tech can be highly instructive. Advanced anti-fraud platforms that use AI and machine learning can differentiate between expected behaviour, and abnormal behaviour by employees and clients.
Indeed, in our study, we found that leaders in the fight against SWIFT cyber fraud were more likely to deploy user behaviour analytics to combat cyber fraud.
So, while the unpredictable nature of human behaviour makes combatting fraud more difficult, certain anti-fraud measures can take advantage of the nature of human behaviour in order to flag suspicious activity.
Winning the ongoing battle against cybercriminals
There is no single approach that will comprehensively safeguard a financial institution against electronic fraud – no way to lock the door, so to speak.
Our 2019 survey, How Banks are combating the Rise in SWIFT Cyber Fraud, highlighted many of the most important tools and approaches available to banks in the battle against SWIFT fraud. Many of these lessons are, however, also applicable to the broader fight against cybercrime, faced by financial institutions around the globe.
Electronic fraud may be a tough challenge for financial institutions, but concerted efforts building on lessons learned can provide a strong defence.
At EastNets we continue to help countless institutions win the battle against cybercrime: get in touch with us if your organisation is struggling in the battle with cyber fraud.
Mohammad AlKayed - Senior Information Security Engineer | EastNets®
In his function as the Senior Information Security Engineer, and head of the EastNets Security department, Mohammad is responsible for developing EastNets security strategy, operations and services. He has the responsibility of complete oversight of EastNets information security function including EastNets assets globally. As the head of the security team Mohammad is actively involved in the design and deployment of EastNets security solutions to meet EastNets vision and quality standards and address EastNets customer needs. Mohammad has rich practical experience in security intelligence and operations, risk management, digital forensics, and incident response, as a result of leading major regional projects with telecommunication companies, governmental agencies, and financial institutions in the specialized area of cyber-security and information security.