How To Protect Remote Financial Services Employees from Cyber Attacks

Security awareness training for financial services and bank employees must be a top priority. While financial services institutions have long been prime targets for cybercriminals, as most attacks are financially motivated, the shift to remote work business models and operations has heightened cyber security risk levels. Recent data reinforces why financial services CISOs and security leaders need to continue delivering cybersecurity awareness training and communications.

• Financial services experience up to 300 times more cyber attacks per year than other industries.
• Amid the COVID-19 surge, cyber attacks against the financial sector increased by 238% from February to April 2020.

The good news is we know how cybercriminals are targeting financial services and bank employees. Using sophisticated social engineering, phishing, and spear phishing attacks, cybercriminals are convincing their victims to share confidential information, disclose login credentials, install malware, and download malicious attachments.

Using timely and precise messages targeting the questions and uncertainties around COVID-19 and remote working, cybercriminals are tricking employees into downloading attachments, sharing information, and to be less suspicious of emails, they use social networking or instant messages, text messages, and phone calls.

The culmination of several changes to day-to-day life including, adjusting to working from home, home schooling children, lockdown constraints, and a constant barrage of COVID-19-related news has created the prime environment for cybercriminals. People are under pressure and stressed, making it difficult to remember the lessons learned from their cybersecurity awareness training.

As we know, all it takes is one click – and now, more than ever, it’s critical that financial services CISOs and security leaders remind employees of how and why cyber attacks succeed.

Cybersecurity Threats Faced by Financial Services in 2020

Just as financial services employees have adjusted how they work and communicate with colleagues and clients, cybercriminals have also shifted their cyber attack tactics. When it comes to phishing, social engineering, and spear phishing, cybercriminals are using more sophisticated and elaborate methods to trick their victims, and they are doing it more frequently.

In an interview with Information Security Media Group, Theo Zafirakos, Terranova Security CISO Security highlighted how cybercriminals are using the work from home environment and remote working technologies to launch cyber-attacks using new tactics.

“Obviously, everybody saw the pandemic-related phishing attacks that were targeting the employees. And, there was new attack surfaces introduced with the new technologies when it came to working from home. So, for example, risks related to video and conference calls, or the need to share files and file sharing services outside of the office.

Also, we saw employees using personal devices to conduct business activities and organizations had to deploy the remote working force, very quickly so they didn’t have time to train those employees before they left for home.”

Because of the type of information banking and financial services employees access and manage, employees must receive relevant and specific security awareness training.

7 Cybersecurity Awareness Best Practices for Financial Services CISOs and Security Leaders

 As a financial services and banking industry CISO or security leader, remember these seven cybersecurity awareness best practices:

1. Establish protocols for using cloud-based file sharing apps and tools. Make it easy for employees to access your approved apps and tools.
2. Know who your at-risk employees are and identify people who have not received security awareness training. Use phishing simulations to monitor and measure employee awareness of cyber threats.
3. Remind employees of the importance of strong and unique passwords, and how to never share them. Send regular reminders to employees about your password rules, examples of strong passwords, and instructions on how to update their passwords.
4. Define clear BYOD policies and hold online training sessions about mobile device security. Remind employees that due to the sensitive nature of their jobs, they cannot share their mobile devices and laptops with family members.
5. Give employees access to online training and resources on cyber secure remote working best practices.
6. Ensure all applications, internal software, network tools, and operating systems are up-to-date and secure. Use firewalls, control approved applications, install malware protection and anti-spam software, and control both physical and virtual access.
7. Use newsletters and short online training sessions to update employees on how cybercriminals are targeting banking and financial services employees. Highlight cyber attack tactics such as videoconference call requests, personal voice assistant snooping, and business email compromise attacks.

If you had a banking or financial services security awareness training program in place before the transition to remote working, it’s important you continue your training and communication program. The current shift of the work environment and changing threat landscape warrants a review and optimization of your awareness program.  Building a cyber secure culture wherever your employees are located and working requires consistent and ongoing communication about security awareness best practices.  

Share These Security Awareness Training For Financial Services Tips with Your Employees

How to Stay Cyber Secure When Working Remotely in Banking and Financial Services

The transition to working remotely has not been without its challenges. We thank you for continuing to do your best work amidst changing work routines and company procedures.

Unfortunately, the banking and financial services industries are top targets for cybercriminals, and this has only increased since the COVID-19 pandemic.

You and your colleagues are prime targets for phishing, spear phishing, social engineering, and business email compromise attacks because you have access to the top five types of data that cybercriminals want:

1. Credential data including passwords, usernames, and PIN numbers.
2. Client personal information including names, addresses, and email addresses.
3. Internal company and external client data including sales projections, product roadmaps, and quarterly/annual financial reports.
4. Financial medical data including insurance claims.
5. Client banking and financial data including account numbers, credit card information, and investment details.

Because of this we want to give you these nine reminders on how to stay cyber secure when working remotely:

1. Only work from home – do not connect to the company network, tools, apps, or email system from a public Wi-Fi connection. Remember there are no guarantees that a password-protected public Wi-Fi connection is secure. If you must connect via a secured public Wi-Fi network, always use the corporate VPN connection before accessing any systems or information.
2. Do not accept videoconference call requests from unknown callers. Cybercriminals are using Zoom, Skype, Microsoft Teams, and other videoconferencing technologies to trick people into believing they are having legitimate work-related video meetings, and then stealing confidential information.
3. Carefully read all emails. Pay attention to the spelling of the sender’s email address, name, and contact information. Look for the use of urgent language that encourages you to respond quickly. Cybercriminals use social engineering tactics to trick people into divulging confidential information. Never bypass established processes when performing business functions.
4. Make sure all software, apps, tools, and operating systems are up to date with the latest versions and patches. If you aren’t sure about this, contact the IT department.
5. If you receive a suspicious email, text message, phone call, or direct message – do not respond. Contact the IT department immediately.
6. Do not use the same password for your email, network access, mobile devices, tablet, and software logins. Talk to our IT team about a password storage tool that makes it easy to access your passwords should you forget one.
7. Even though you’re working from home, it’s still important to store all printed documents and files securely. Follow our policies on external and internal client security and data privacy.
8. Take advantage of our online financial services security awareness training programs. We know that you’re very busy but the more you understand about how cybercriminals operate, the easier it is for you to recognize a dangerous email, text message, or phone call.
9. Use the resources in the Working From Home Cyber Safely Kit and share this kit with your family members.