Cyber Threats: Protecting Your Business And People Through Culture Change

by Rupert Lee-Browne

All companies, but particularly financial service companies, are increasingly vulnerable to sophisticated cyber threats. We all recognize the critical importance of staying ahead of these threats and keeping vigilant. The most advanced cybersecurity systems are not 100% secure. So how do we protect our businesses and people from the maelstrom? This article outlines a comprehensive strategy for enhancing cybersecurity: through leadership, targeted awareness, education and training programs for people.

The Growing Cyber Threat Landscape

According to Statista, the financial services industry is ranked second among the most targeted sectors globally, primarily due to the vast amount of valuable data. As one of the U.K.’s leading payment companies, my company operates within an environment where cyber threats are constant and evolving. With a dedicated team of over 100 staff and proprietary systems designed to serve our customers, we face unique challenges in safeguarding the business from cyber threats.

The increasing sophistication of cyber threats, particularly with advancements in artificial intelligence (AI), necessitates a continuous, proactive approach to security. The human element within any organization is a key focus, as evidenced by the 2024 U.K. Government report on cybersecurity breaches, which identifies phishing as the most common threat for 84% of U.K. businesses.

New threats are highly targeted and aim to leverage deep knowledge of an organization’s operations to craft bespoke attacks. Through extensive data analysis, we have developed a clear understanding of primary threat actors, and our research has identified five key emerging threats:

Advanced Persistent Threats (APTs): Long-term, targeted attacks designed to infiltrate systems and extract sensitive payment data

Ransomware Attacks: Malicious software that encrypts critical data and demands a ransom for its release, potentially crippling payment processing capabilities

Phishing and Social Engineering: Techniques aimed at tricking employees and customers into revealing confidential information or compromising systems

Supply Chain Attacks: Infiltration through third-party vendors and partners that could compromise integrated systems and payment platform

Insider Threats: Risks posed by employees who may unintentionally breach security protocols

As you can see, the threats are multichannel, intelligent and turbulent. How do we navigate this maelstrom? As Peter Drucker’s theory of modern management says, “The greatest danger in times of turbulence is not the turbulence; it is to act with yesterday’s logic.”

Leading From The Top: Building A Culture Of Cybersecurity

The best-laid cybersecurity plans are futile if everyone within the organization is not on board. At my company, we’ve worked to shift the mindset from viewing cyber threats as “IT’s problem” to recognizing cybersecurity as everyone’s responsibility.

Your company board must quickly recognize how vital it is to build into the business a culture of protection against immediate and long-term cyber threats. Our board is fully committed to ensuring that the mandate is companywide, from the boardroom to the front desk.

At the board level, cybersecurity has now become an integral part of our discussions on overall company compliance and risk strategy. By fostering a top-down approach to cybersecurity, we have created the momentum needed to successfully reduce risks across the business.

Consider establishing a security committee with senior executives representing all departments to better ensure that cybersecurity is a joint responsibility. Meet regularly to assess and respond to emerging security issues.

Psychological Profiling: Understanding The Human Factor

For many companies, potential cyber threats commonly enter systems as email messages. The level of sophistication and authenticity in these messages is astonishing, often tapping into emotions with compelling language that evokes a sense of urgency and manipulation. This psychological methodology is finely tuned, constantly evolving with each new approach.

Understanding these psychological triggers is crucial. For example, we’ve observed patterns in phishing attempts that target specific departments during high-stress periods, such as month-end for finance teams or peak seasons for customer service. By identifying these patterns, you can tailor your defenses and training programs to address these vulnerabilities more effectively.

Education Of Vigilance: Shock Tactics And Awareness

Security education efforts should be centered on driving awareness of threats and the consequences of security breaches. Mandatory, role-specific training sessions should be provided during the employee onboarding process.

It can’t be just academic. Try weekly simulation exercises and test campaigns that mimic potential cyber threats. This tests your ability to recognize and respond to suspicious activities even through your own personal emails and socials. The results of these campaigns should be shared across the organization to reinforce the importance of vigilance and keep everyone alert.

Future-Proofing A Resilient Security Culture

A commitment to a proactive and comprehensive approach to cybersecurity can position you to effectively leverage technological advancements while remaining agile in the face of evolving threats. At my company, we’ve implemented real-time threat intelligence systems, including AI-driven monitoring tools that provide up-to-date information on emerging threats.

Our front-line defense system, combined with a robust ticketing system for incident reporting, better ensures that we can swiftly address security breaches. In addition, compliance with regulatory standards should be embedded into your training programs, ensuring that industry requirements are not only met but exceeded.

However, you only know how robust and prepared you really are when you are truly tested. As an example, my company’s covert “Pen Test” puts our systems and people through a live “cyberattack.” This is when we can truly evaluate our position and where more work needs to be done.

Empowering Through Culture And Education

The ability to balance security with effective business operations is critical. Your business can be dedicated to fostering a security-conscious culture through committed leadership and empowering employees with the knowledge and tools to recognize and respond to threats—in turn protecting the business, your customers and partners and your future success.