With the increasing frequency of cyber events, risk management and security is a complex, multi-faceted challenge for banks around the globe. The task of keeping up with changing technologies while attracting and retaining talent who can mitigate cyber security risk has reached unprecedented levels. This week’s host and Partner in Aon’s Talent Solutions, Peter Keuls, is joined by Partner in Aon’s Talent Solutions, Chris Blain, and Aon’s Head of Cyber Solutions in the UK, Spencer Lynch, for a discussion about the intersection of talent and cyber security for financial institutions.
Additional Resources:
Aon’s 2023 Cyber Resilience Report
On Aon Episode 58: On Aon’s Approach to Helping Organizations Build Cyber Resilience with Joe Martinez and David Damato
On Aon Episode 42: On Aon’s Innovative Approach to Cyber Resilience with Nitai Mandhyan and Scott Swanson
Tweetables:
Intro:
Welcome to “On Aon,” an award-winning podcast featuring conversations between colleagues on, well, Aon. This week, we hear from Chris Blain and Spencer Lynch for a discussion on the intersection of talent and cyber for banks. And now, this week’s host, Peter Keuls.
Peter Keuls:
Hello everybody. My name is Peter Keuls, and I'm a partner in the Talent Practice at Aon and have the pleasure of hosting today's edition of the “On Aon” podcast. And today, we're talking about resilience and the critical connection between Human Capital and cyber security of financial institutions. And with me today are two colleagues, Spencer Lynch and Chris Blain. Spencer is an expert in cyber security and serves as Aon's head of Cyber Solutions in the UK. And Chris is a great colleague and partner of mine in Aon's Human Capital Solutions business, with deep experience working with global banks. So, thanks for being here today, Spencer and Chris.
Chris Blain:
Thanks, Peter. Thanks very much in including me in this conversation.
Spencer Lynch:
Thank you for having me here today too.
Peter Keuls:
So, let's get started. Spencer, could you tell our audience how you first got into the hot field of cyber security?
Spencer Lynch:
Yeah, sure. If I go back many, many years ago, I studied computer science and public policy, and I was trying to find an intersection between those two and landed myself in digital forensics. Worked in digital forensics for a few years, or maybe more than a few years, and slowly started the transition to, instead of waiting for things to go wrong and then helping clients, instead spending time with them before things went wrong and trying to prevent them or prepare them for things to go wrong so they could recover better. And that's really how I've landed where I am here today.
Peter Keuls:
Brilliant. Happy and delighted to have you and leading our UK business. And Chris, tell us about how your financial background has shaped your perspective as a human capital advisor, since you've got experience, both working in banks and in the finance area.
Chris Blain:
Thanks, Peter. Yes, I've worked for a number of banks since I started my career, and then I moved into consulting. Most of the work I've done with banks has been looking at how they perform, and also doing a lot of work benchmarking and helping them with their cost base and doing a lot of this around their expense base. And then laterally, I've been working in talent solutions in our commercial team, which has given me the opportunity to look across all of our solutions, including talent assessment, reward and people advisory too, so that's given me a much broader scope to work with.
Peter Keuls:
Fantastic. So cyber security is such an important topic for banks, particularly because banks really rely on the reputation and the trust their customers have in keeping their assets safe. And I noted there were more than 5,000 suspicious activity reports filed by the SEC-regulated firms in 2022, which is up from closer to 500 just four years ago. Spencer, what trends are you seeing that are raising the stakes for banks in this area and this incredible growth?
Spencer Lynch:
Yeah, sure. I mean, cyber security, I think, has always been a concern, but as you say, it's becoming more and more pressing for banks and other financial institutions. For one, whereas if we rewind the clock a few years, threat actors and the hackers out there, we're looking at stealing personal data, often just for the sake of personal data and reselling it, and they're now more focused on how they can monetize their attacks, so that's one concern. And they've gotten very good at monetizing their attacks. We've seen the epidemic of ransomware and other forms of extortion.
There's also a concern for the banks around the regulatory environment that they operate in. They've always been traditionally regulated by financial regulators. Here in the UK, we have the FCA. But with more and more data privacy regimes and cyber security controls being regulated through things like GDPR, and they're now finding themselves sometimes dual or triple regulated, depending on the jurisdiction they're in, which increases the threat of regulatory fines and other pressure that they face.
And I think the other concern is that with how long there's been a problem with this kind of data theft, and people have been receiving these breach notifications, that your average consumer is starting to lose attention to the data breach notifications that they get. You get something in the post that says, oh, your data's been lost. And you think, okay, well, I think my address and email address have been compromised like 17 times so far year to date, so what's this? That said, people aren't losing their concern around their own financial assets. So, if you get a message from some random company that you bought a pair of shoes from, maybe you don't care so much, but if you're getting that message from your bank, that really does start to concern consumers. So, I think that the banks have a harder time of it, managing their reputation than some of the other industries that are also involved in cyber security.
And then maybe finally, the last trend I would hit on, which is even more recent, generative AI and the ease with which now that with all the data that's already out there, hackers and threat actors can impersonate people and generate really convincing phishing messages and other forms of, be it verbal or even deep fake videos. It's just making the problem worse and worse for everyone in cyber security, but as I said, banks and financial institutions have a specific focus, because they're closer to the money.
Peter Keuls:
Right. Yeah, definitely a huge target, and incredible to see how quickly things are evolving, and worrisome about the impact that AI can have on all of this. Have you seen AI being deployed already against banks and hacking attempts from phishing accounts?
Spencer Lynch:
I think it's tough to point to any one attack and say, oh this is definitely coming from AI, but there's certainly, just with the advent of Chat GPT and other forms of generative AI, been a notable uptick in the quality of phishing messages that people received. It often used to be that you would train people on how to identify a phishing message by telling them it's not going to make a whole lot of sense and it's going to have grammatical errors in it, and that's not really viable anymore. It's pretty easy to get a grammatically accurate phishing message from AI if you wanted to. And it's also not hard, I don't want to say it's as easy, but to seed AI with the specific communications from one individual and say generate me a message that sounds like it was written by this person. So that's also something that we'll probably see more and more of in the future.
Peter Keuls:
Or even a voice message that sounds like an executive at the bank.
Spencer Lynch:
Exactly.
Peter Keuls:
Since these people usually have lots of public domain recordings. Chris, how are talent trends impacting cyber security?
Chris Blain:
I think what we're seeing is any IT-related roles, there's a talent shortage and a skills shortage. So, as we see more cyber attacks and more breaches, banks are grappling with trying to ensure that they retain their people with those skills and try and attract that talent as well. So they need to ensure that they're paying at the right levels, and in talent solutions we have probably the best data around that, and are they attracting the right people? And we have an assessment practice, which can help with that too. So as far as people are concerned, it's a difficult marketplace, and I think Spencer will agree that where he sees cyber incidents, it normally relates to people and not the IT application itself.
Spencer Lynch:
Yeah. And then Chris, I agree with you actually on both fronts, the challenge on attracting and keeping talent is incredibly important in cyber. The talent shortage is huge. So it's certainly something that all industries, banks in particular, need to be looking at.
And then yeah, on the targeting side, and I still do a lot of incident response and constantly say that the majority of cases that we see start with a person. It's a people problem. It's usually not a technology problem. The phishing emails will get through whatever filtering you have. Unless you're just going to tell people we're no longer conducting business over email, phishing is something you're going to have to deal with. And its people that are clicking on the phishing links and typing in their username and password, or running the program, opening the attachment that they shouldn't have. So, there is a huge people component to cyber security.
Peter Keuls:
And how have remote work trends impacted this employee vulnerability, when tens of thousands of employees of the bank could be working from home, on home networks?
Spencer Lynch:
Yeah, I think it's stabilized to some degree, but if you look at what I'll call the crash rollout of remote working that occurred during the pandemic, the tax surfaces for companies grew rapidly as they tried to figure out how to enable their workforce to work from home, oftentimes without the change management that might occur. If you look at normal IT change management, you may be talking about months or years to make a major systems change, and we saw major systems changes executed in the span of weeks.
So, you've got the problem on the attack footprint and the amount of space you're trying to protect as an IT security manager, coupled with everyone being remote. So people lost that direct supervision and the direct correspondence with people. It used to be that you could very easily just turn your head and say, "Hey, Bob, are you the one who sent me that email, because it seems sort of weird?" But Bob doesn't sit next to you if Bob's at home and you're at home. So, people lost the person-to-person connection, and that makes it harder to defend against some of these attacks. So remote working has definitely had an impact.
Peter Keuls:
Doing on remote working. Now have you seen any specific trends from banks after the pandemic?
Chris Blain:
Well, I think we've also seen the announcement in the press by certain banks regarding their employees, some saying that they should all return to the office by a certain date or they should be now spending all of their time back in the office rather than at home, especially in front office roles where there are certain regulatory requirements. As far as attracting staff goes, I think we've all been involved in the recruitment process. I think a lot of questions that especially younger colleagues will ask is, what are the rules around flexible working? So as far as the employee value proposition goes, it's clear that a lot of people are looking for that extra flexibility now, and to rule that out completely could probably put you at a disadvantage in the marketplace. So, I think things are starting to settle down, but there are a lot of different new snippets that we're hearing around what people are doing around remote working and flexible working.
Peter Keuls:
Right. It seems like remote working, to some degree, is here to stay, which means that this challenge of managing this expanded attack footprint is something that the cyber professionals in the bank will have to cope with for the first time.
Chris Blain:
Definitely, yes.
Peter Keuls:
So, it seems like the first challenge is to understand the vulnerabilities at a bank, and you're saying that employees are usually the most important vulnerability in the cyber security area. So how can a bank, how can it assess their organizational vulnerabilities? From a down perspective, how you can assess the organizational vulnerabilities, and then we'll turn to Spencer to talk from the technical dimension.
Chris Blain:
We have an assessment practice or platform, and we can design a number of different assessments. You may be employing somebody who's got additional access to certain applications that hold very sensitive data. You may want to assess those sorts of people to ensure that they are the right sort of person to be giving that access to. So that's one of the ways that you could check, either before they're employed or before they move into a role where they would have that type of access.
Peter Keuls:
And how do those assessments work?
Chris Blain:
Most of them are actually online assessments, and they are designed by our own occupational psychologists, and they're very good at getting actually to the root of how somebody works.
Peter Keuls:
Right, and I imagine identifying risk taking behaviors and who might be more prone to those behaviors that could be a challenge.
Chris Blain:
Exactly.
Peter Keuls:
Fantastic. And so, Spencer, there must be continuous monitoring of the technical infrastructure. What can firms do to assess whether they're doing enough?
Spencer Lynch:
Yeah, I think that's a great question, and I could speak probably for hours on how firms and banks can look at their technical protections. I will try and avoid doing that and hit it at a high level. There are things like penetration testing that lots of clients do, and it's often regulatorily mandated from a regulator that banks do it, effectively pretend to be the hacker and break into the bank. There's vulnerability scanning, and ongoing and continuous vulnerability management, where you check all the external infrastructure and see if there's any new vulnerability that's been found. I think we all know now from the news over the past few years that it's not the case that people are just sitting on knowing that these vulnerabilities exist, it's that a new one is discovered, and then you've got a race to figure out is this in our infrastructure, and benchmark how long does it normally take us to fix these vulnerabilities once they're discovered?
And then there's maturity assessments and other forms of benchmarking where banks can, and all industries can do this, but look at and work with consultants to assess what they're doing across different types of controls and control domains and compare that to industry benchmarks. Are we doing the right things on endpoint detection and response? Are we as up to date as everyone else in the industry? Are we behind the curve? Are we ahead of the curve? Are we doing the same thing on multifactor authentication? There are lots of different control domains you can look at, but that's one thing that we work with clients frequently to do, is help them figure out where they are and how does that compare to a peer group.
On the technical side, I think we also can do, and Chris, I don't know if this is something you want to talk to, but I think we also sometimes do that on the people side as well. Do you have the right type of people? Is your per-person spend right for your organization?
Chris Blain:
That's right. So, we have a lot of very granular data that we collect from banks. So, we have all of their cost and headcount information both from their general ledgers and their own HR systems as well, and that allows us to actually benchmark the spend of the cyber teams and functions that one bank has against a peer group of similar banks. So, we can actually tell if they're either underinvested or overinvested, and are you spending more on the cyber functions than the other banks typically would?
We can also look at how the cyber functions are organized. Are they outsourcing some of those functions rather than insourcing them, and actually start to tell them which functions are typically insourced and which are outsourced. So, the level of investment around cyber, in a typical bank, is enormous, running into tens if not hundreds of millions of dollars. So, it's very important that they get the balance right in terms of cost, especially at a time when banks are very, very focused on their cost base.
Peter Keuls:
I imagine those costs have been increasing rather than decreasing?
Chris Blain:
Yes, and we can really get underneath it as well. We can tell them if the cost overrun being driven by compensation, the level and grade of headcount, or is it something going on in their non-compensation costs that are driving that?
Peter Keuls:
Great. I'm sure that's very helpful for a bank, to help understand what they need to be investing in, in cyber security. And the stakes are high. It seems like such a complex, multifaceted problem that is changing all the time, and as technology changes and threat actors evolve. And I'm sure it goes wrong often enough, and when it goes wrong, it probably can go very wrong. Spencer, what are some of the case examples in where it's gone wrong, and what can we learn from those failures?
Spencer Lynch:
Sure. I'll tell one story that went very wrong, and it could have gone much more wrong. I guess I'll start by saying that. So this was an organization that generally had multifactor authentication on the remote access platforms, but as they found out, not on all, there was a small number of remote access platforms that were used by, I actually think they were contractors to the bank, not full-time employees, but to enable access to contractors who were involved in IT administration.
And it turned out for them that one of their contractors was using a password that was the same password that he used for pretty much every other online account that he had, and one of those accounts was compromised. And a few weeks after that compromise occurred, and I don't know exactly how the threat actors decided to test his username and password on this remote access platform, but they did, they probably found an email in his inbox, but they did and got in. And from there, it went very bad very quickly. The threat actors mapped around the system, figured out what systems they had access to, got access to all the KYC data that that organization had on their customers, started encrypting that data, because they identified it as something that was important to the organization, so started encrypting it in a typical ransomware attack, and exfiltrated it, stole a copy of it.
Where I said it could have gone a lot worse, one of the systems that they got access to was a database server that also had a lot of transactional information about customer accounts. And without that system, the organization would've had a very hard time, or at least been substantially delayed, in figuring out what balances on customer accounts were. Thankfully, in the case I'm thinking of, the threat actor didn't do anything with that database. I don't think they realized what they had access to, but it's pretty easy to see how that could have gotten much worse quickly.
As it was, losing KYC information for all your customers was particularly painful, both because of the regulatory obligations, they knew who they were dealing with, and not being able to see which customers have gone through a KYC process and which have not was a problem, but also because they then had to tell all their customers, by the way we lost scans of your passports. Which, even though I said at the beginning customers are getting immune to those data breach notifications, they're much less immune when they're coming from financial organizations that they trust, and passports are still something that people are pretty sensitive about.
Peter Keuls:
Yeah, that's a great way to lose a customer, isn't it?
Spencer Lynch:
Yeah.
Peter Keuls:
Chris, how can financial institutions manage cyber security more effectively from a talented people perspective?
Chris Blain:
As I mentioned when we started, the skill shortage is a real challenge for the banks, and they may want to look outside of the normal functions to actually try to find people internally. What we've been doing is looking at things like personas, and there could be a persona for people working in the cyber functions, and the skills required could actually be sitting in other areas of the bank such as risk or other functions in IT. And again, using assessment, we can assess to see if that some of those people could actually move into cyber roles, which would be of great benefit to the banks, of course, but also opens up a great opportunity for people employed by the banks, allowing them to move into new roles and actually maybe even increase their levels of compensation by doing that.
Spencer Lynch:
And Peter, I was going to jump in, because Chris said something that triggered me, and I was trying to predict what question you might ask me next. And when I heard Chris talking about people moving from other areas of the business into cyber, it made me think how much of a benefit that could be. One of the areas that a lot of organizations struggle with is that cyber is not as well connected to the business as it needs to be. So, they're trying to manage cyber security and trying to think through what could the impact on the business be, but they're not the business, they're not the ones dealing with customers every day. They can't predict all the different possible impacts, so getting that cross pollination of thought, it's tremendously important for banks.
And trying to connect it back the other way as well, and getting every stakeholder organization thinking about cyber as being something that they need to worry about. You may have a team that's dedicated to worrying about it, but gone is the day where someone can say, oh, cyber, I don't worry about that, we have a team that does that, particularly at the executive levels, but across the organization. If your average cyber attack starts because someone clicked on a phishing email, people have to realize they've got to be aware and they've got to be part of the solution.
Peter Keuls:
Yeah, it's everybody's problem. I mean, if I was a bank CEO, this would be a topic that would keep me up at night, since so much is at stake and it's such a complex problem. What recommendations do you have for a bank CEO on how they should structure and lead their executive teams to build more cyber-resilient businesses? Spencer, do you have a point of view on that?
Spencer Lynch:
Yeah. I think, overall, it's we try and lead the culture to think of cyber security as a business problem and not a technology problem. If CEOs and other executives can instill a culture within a bank or within any organization, where everyone feels like cyber is partially their responsibility, they will be a much more resilient organization than if they don't have that culture.
Peter Keuls:
Chris, from a Talent Solutions perspective, what can bank leaders do to better manage the organization to improve cyber security?
Chris Blain:
Given, again, all the skill shortages and the talent shortages, it's very important that the CEO helps to ensure that the workforce is resilient. And that's something that's a big focus for a lot of organizations at the moment, especially around wellbeing, et cetera. So, if you have a resilient workforce, then they're more likely to stay with the organization as well, so extremely important.
Peter Keuls:
True. Terrific. Well, Spencer and Chris, thanks for your insights today. This is a really important topic, and following these recommendations, implementing them, really could be the difference between success and that catastrophe for financial institutions. So hopefully the audience has been listening carefully and can reach out, if they would like, for their input and advice. Thanks. That's our show for today, and thank you everybody for listening, and look for the next episode of On Aon coming to you soon.
Outro:
This has been a conversation “On Aon” and resilience. Thank you for listening. If you enjoyed this latest episode, tune in soon for our next edition. You can also check out past episodes on Simplecast. To learn more about Aon, its colleagues, solutions and news, check out our show notes, and visit our website at Aon dot com