CSConnect UK 2019: Security awareness never really works, says Mastercard’s Vocalink CSO
“Security awareness is always failing – it never really works,” says the chief security officer of Vocalink – a Mastercard company – Andrew Rose, who thinks behaviour is the real issue when it comes to cybersecurity risks which come through employees.
Speaking at at Cybersecurity Connect UK 2019 in Monaco, Rose uses the analogy of smoking to a room full of financial services, airlines and cybersecurity solution providers, saying that although we tell people to be aware of the risks – be that heart disease or a phishing vulnerability – employees will still do the wrong things.
“Awareness is not the problem, it’s behaviour. So how do we change behaviour? That’s a different conversation, and awareness is just a small part of it,” he says.
For Rose it’s about motivating managers and their teams “to believe in security”, revealing that Mastercard gives out a £1,000 annual bonus to the “top phishing reporter of the month”.
Despite the preconception that Mastercard executives might be too intelligent to fall for phishing threats, Rose highlights that the company has found phishing emails can render very differently on a mobile device, where it looks far more compelling, to a desktop, where it can look ridiculous and unbelievable.
“Executives work from iPads and iPhones these days, they just do emails as they go to meetings,” says Rose, “so the mobile platform is the one that’s really being focused on and it’s interesting to see that changing in attack”.
Email phishing is still the top cause for cybersecurity risk in FIs according to Rose, who notes “Office 365 attacks are ramping up” and they are “quite alarming”.
Fellow speaker on the stage was Adenike Cosgrove, who heads up cybersecurity strategy at Proofpoint, a California-based cybersecurity company which just spent $225 million on the acquisition of ObserveIT.
“We’ve left the email channel completely open,” says Cosgrove, who points out from company research that 96% of cybersecurity breaches in companies, including FIs, still happen through email phishing and yet “we’re not investing in email”.
Cosgrove says “the credentials are the crown jewels now,” explaining email phishing is a great way of targeting individuals in the company.
But fraudsters don’t necessarily always go for the CEO. Cosgrove explains that one of Proofpoint’s clients (who can’t be named) saw a surge of risk targeted at their public relations team because the company was working on a press release with the Singapore government at the time.
This is why Mastercard’s Rose concludes that customer service teams are facing a tricky dilemma, being told to always do as the customer asks, even if that means clicking on a phishing link.
“We talk about customer-centric approaches but these people [customer service teams] have really been set up to fail,” says Rose, who agrees these teams need to be re-trained and ultimately reiterates that “it’s about the whole behavioural package”.