Go to search feature Go to content

Continue strengthening Security Culture, Awareness and Competence

Welcome back to my Tech Blog! Today, I'll explain the importance of bank security in simple, easy-to-understand terms.

In our ever-evolving digital landscape, the importance of security cannot be overstated. As we navigate through the complexities of modern technology, it's crucial to continue cultivate a robust security framework that not only safeguards our organisation's assets but also instils a culture of vigilance and preparedness among our team members.

Purpose

At SEB, we recognise the need to continually simplify and reinforce the significance of security to our colleagues in the business realm. By drawing parallels with the aviation industry, tangible examples from everyday scenarios, and insights into the mindset of cybercriminal actors, we aim to underscore the urgency and importance of prioritising security measures across all facets of our operations.

These efforts serve to empower our workforce with the knowledge, awareness, and skills necessary to mitigate risks effectively, protect customer data and assets, and uphold the integrity of our organisation. Through enhanced security culture, awareness, and competence, we can collectively fortify our defences, navigate the digital landscape with confidence, and ensure the long-term success and resilience of SEB.

Culture, Awareness and Competence

Drawing parallels with pilots, we can highlight the importance of cultivating a strong security culture, awareness, and competence within SEB.

Culture:

Just as pilots have a culture centred around flying planes safely and responsibly, organisations should foster a security culture where employees prioritise security in their daily activities.

This culture emphasises the collective responsibility of all employees to safeguard sensitive information, detect security threats, and adhere to best practices.

Awareness:

Like how pilots are aware of the capabilities and limitations of aircraft, employees should have awareness of the potential security risks and threats facing the organisation.

Through security awareness training and education programmes, employees gain knowledge about common cyber threats, phishing scams, and social engineering tactics, empowering them to identify and mitigate risks effectively.

Competence:

Just as pilots undergo rigorous training and certification to acquire the necessary skills and competence to fly planes, employees need to develop their cybersecurity skills and competence.

This includes proficiency in using security tools, understanding security policies and procedures, and knowing how to respond to security incidents promptly and effectively.

By drawing parallels with the aviation industry, organisations can underscore the importance of building a strong security culture, promoting awareness, and fostering competence among employees to mitigate cybersecurity risks effectively and ensure the overall security and resilience of the organisation.

Examples highlighting the importance of protecting customer data and assets

Here are some tangible examples framed in everyday scenarios that can help business colleagues understand the urgency of security to protect customer data and assets at SEB.

  • Identity Theft: Imagine a customer's identity being stolen. Their personal information, including social security numbers and financial details, could be used to apply for loans or make unauthorised purchases. This not only harms the customer but also damages the bank's reputation and trustworthiness.
  • Fraudulent Transactions: Picture a scenario where a cybercriminal gains access to a customer's account and initiates fraudulent transactions, draining their savings or making unauthorised transfers. This can lead to financial losses for both the customer and the bank.
  • Data Breaches: Consider the consequences of a data breach where sensitive customer information, such as account numbers and passwords, is exposed to hackers. This can result in significant financial and legal ramifications for the bank, including fines, lawsuits, and loss of customers' trust.
  • Reputational Damage: Think about how news of a security breach spreads quickly through social media and news outlets. The bank's reputation takes a hit, causing existing customers to lose confidence and potential customers to avoid opening accounts or investing with the institution.
  • Regulatory Compliance: Explain the importance of adhering to regulatory requirements such as GDPR, PCI DSS, and SOX. Non-compliance can result in hefty fines and sanctions, impacting the bank's bottom line and ability to operate effectively.
  • Disruption of Services: Envision a scenario where a cyberattack disrupts the bank's services, causing online banking platforms to crash or ATMs to malfunction. This not only inconveniences customers but also leads to financial losses for the bank due to downtime and potential compensation claims.
  • Loss of Competitive Advantage: Highlight how competitors who prioritise security measures are seen as more trustworthy and reliable by customers. Failing to invest in robust security controls can put the bank at a disadvantage in the market, leading to loss of market share and revenue.
  • Customer Trust and Loyalty: Emphasise that customers expect their financial institutions to safeguard their personal and financial information. A breach of trust due to inadequate security measures can drive customers away, resulting in lost business and revenue in the long run.
  • Operational Efficiency: Explain how implementing effective security controls can streamline operations by reducing the likelihood of security incidents and the associated costs of investigation, remediation, and damage control.
  • Long-term Viability: Paint a picture of the future where cyber threats continue to evolve and intensify. Investing in security now is essential for the bank's long-term viability and sustainability in an increasingly digital and interconnected world.

By presenting these examples in relatable terms, your business colleagues can better understand the importance of prioritising IT security controls to protect customer data and assets.

Understand the mindset of a cybercriminal actor

The Mindset of a Cybercriminal Actor - examples to share with the Business for better understand the sense of urgency to use security countermeasures.

Initial Access through Internet-Facing Service

  • Imagine a cybercriminal lurking on the internet, scanning for vulnerable systems just like a burglar might case a neighbourhood looking for unlocked doors or windows.
  • They might discover a company's web server that hasn't been updated with the latest security patches, making it vulnerable to exploitation.
  • Using automated tools or techniques, the cybercriminal gains access to the server, just like picking a lock to enter a house.
  • Once inside, they may plant malware or establish a foothold, like leaving a hidden spare key behind for future access.
  • Their motivation? It could be financial gain by stealing valuable data, or perhaps they're seeking to disrupt operations out of revenge or to make a political statement.

Unauthorised Access through Leaked Credentials or Insider Threat

  • Now, picture a scenario where an employee's login credentials are leaked through a phishing attack or stolen through social engineering tactics.
  • Alternatively, an insider with malicious intent might abuse their access privileges to snoop around where they shouldn't, much like a dishonest employee snooping through filing cabinets after hours.
  • With these credentials, the cybercriminal enters the company's network, much like using a copied key to unlock the back door of a building.
  • Once inside, they may stealthily navigate through the network, avoiding detection like a cat burglar moving silently through a darkened house.
  • Their motivation? It could be financial gain by selling sensitive information on the dark web, or perhaps they're seeking revenge for perceived mistreatment by their employer.

Lateral Movement to Crown Jewel Applications

  • With initial access secured, the cybercriminal now seeks to escalate their privileges and access the most valuable assets within the company, much like a thief targeting the most valuable items in a home.
  • They may exploit vulnerabilities in the network's defences or use sophisticated techniques to bypass security controls, like a skilled cat burglar disabling alarms and avoiding motion sensors.
  • Once they identify the crown jewel applications—such as databases containing customer information or financial records—they move laterally through the network to reach them, much like a thief navigating through rooms and hallways to reach the vault.
  • Their motivation? It's often driven by the potential for significant financial gain, as these crown jewel applications contain the most valuable assets. Additionally, there may be a thrill or sense of power in outsmarting security measures and gaining access to highly sensitive information.

Overall, the mindset of a cybercriminal actor is often opportunistic and driven by the potential for financial gain, disruption, or personal vendettas. They exploit weaknesses in security defences and leverage various techniques to gain access to valuable assets within an organisation, ultimately seeking to maximise their illicit gains while minimising the risk of detection.

Securing our future together

As we conclude our exploration into the importance of security culture, awareness, and competence, it's clear that safeguarding SEB is a collective responsibility that extends to each one of us. By fostering a unified approach to cybersecurity and empowering our workforce with the knowledge and tools they need, we can navigate the evolving threat landscape with confidence and resilience.

Moving forward, let us remain vigilant and proactive in our efforts to prioritise security in all aspects of our work. Let us continue to educate ourselves and our colleagues, raise awareness about potential risks, and invest in developing our cybersecurity skills and competencies.

Remember, security is not just a task for the Technology- or Security organisation or a select of few individuals, it's everyone's responsibility all days. By working together and embracing a culture of security, we can protect our customers data and assets, maintain the trust and confidence, and ensure a secure and prosperous future for SEB.

Thank you for your dedication to security excellence. Together, we can continue to improve a safer and more resilient SEB for generations to come.

At SEB, security is innovation and trust in action.
 

Author: Ulf Larsson, Security CTO