Stopping social engineering: The importance of people, processes and fintech partnerships

The mass transition to remote working business operations has prompted many discussions around how this ‘new normal’ has impacted IT and security teams. Beyond the intrinsic risks of working from home, the perfect storm of health concerns, social unrest and natural disasters has made this time even more precarious. Sadly, one of the easier vectors to exploit is centered around human emotions, famously dubbed as ‘social engineering.’ In a time when human emotions are generally running high, the likelihood of your employee falling victim to a social engineering attack has dramatically increased (Verizon’s 2020 Data Breach Investigations report shared that 95% of breaches were financially motivated and social engineering attacks like phishing and use of stolen credentials were among the top five causes), adding another layer of complexity in managing the already menacing cybersecurity landscape and organizations’ threat profiles. 

For example, many consumers and business owners have been struggling since the recession hit, sometimes unsure when they’ll receive their next paycheck. Fraudsters are preying upon this uncertainty and fear, sending seemingly legitimate communications that threaten dire consequences if recipients don’t act quickly. Attackers have also taken advantage of recent global social events, like the Black Lives Matter movement, the pandemic and natural disasters. This has resulted in an uptick of hackers pretending to raise money for a cause, offering flood insurance, collecting money for the Red Cross, providing breaking vaccine information about Covid-19 from WHO, etc. The large scale Twitter attack on high-profile accounts like Bill Gates, Elon Musk, Joe Biden, etc., encouraging followers to send their Bitcoin address for double the amount, is another recent example.

Now more than ever, institutions should evaluate, assess and strengthen their security posture. Security is a triad of technology, processes, and people, with people being the more important component and often the weakest link. A cybersecurity program is only as good as the level of security awareness its people have in terms of their responsibilities required to keep information assets safe and knowledge of adversaries' tactics. That’s why security awareness/training shouldn’t be a one-time occurrence, but rather embedded within an organization’s culture and made everyone’s responsibility. Financial institutions should consider regularly sharing examples of recent attacks or new trends that apply to the organization’s threat profile, helping employees quickly identify any malicious communications and potential fraud. 

The variety and sophistication of traps out there today emphasize why institutions should only partner with fintechs that have proven, top-tier security practices and expertise. Especially as more interactions happen digitally, institutions must be more careful than ever about the fintechs they trust with their customers’ sensitive information. Fintechs that are built bank-tough understand what it means to have security pervasive throughout its operations and culture. 

When evaluating potential fintechs to partner with, financial institutions should not only look at the effectiveness of technical controls but also assess the people and procedures set up to support them. Controls (ISO 27000 series) and audits (AICPA SOC 2) can serve as starting points to better understand what is under the security hood of a partner. Details of how the partner’s security program is run, the services offered, integration points, and the security controls boundaries must all be clearly articulated before moving forward. 

Today’s landscape makes security awareness/training and bank-tough partnerships more important than ever. It’s up to institutions and their partners to ensure consumers’ information is safe, which means having the right technology, people and processes in place. Being human – showing empathy, having compassion and trying to help – shouldn’t be ammunition for hackers. Instead, it should augment the first line of defense in protecting sensitive information assets.