By Christophe Barel

In today’s landscape, where cyberthreats are constantly evolving, the resilience of financial institutions require more than just state-of-the-art technology, which alone cannot guarantee full protection.

At the heart of an organisation’s cyber resilience is its people, who foster a culture that prioritises cyber awareness and hygiene, forming a human firewall essential to robust cybersecurity.

The Cyber Hygiene Gap: A Stark Reality Check

Despite today’s fraught cyberthreat landscape, many organisations still struggle to implement basic cyber hygiene practices effectively. This gap is often due to a mix of factors: insufficient awareness, where employees and leaders alike may lack a deep understanding of cybersecurity risks; a tendency to overlook best practices due to perceived inconvenience; and the technical limitations that challenge smaller financial institutions or those with lower cyber maturity. These vulnerabilities can leave an organisation exposed to breaches that can have severe consequences.

Within the interconnected financial ecosystem, one institution’s cyber resilience can influence the overall risk landscape. This was exemplified by the recent Crowdstrike outage in July this year. Though the outage wasn’t the result of a cybercrime, the incident underscored the global financial sector’s vulnerability to cybersecurity disruptions. Relying on Crowdstrike’s cybersecurity services, institutions worldwide faced massive operational disruptions. The incident led to an estimated USD1.15 billion in losses to the banking sector alone, highlighting the far-reaching consequences of such outages. The incident also exposed critical dependencies on third-party providers, highlighting the urgent need for institutions – and the sector as a whole – to build cyber resilience.

Resilience begins with getting the fundamentals right – yet concerningly, the Cyber Security Agency of Singapore has identified a significant knowledge and experience gap in cybersecurity implementation and basic cyber hygiene as a major barrier for organisations, with 59% of businesses and 56% of non-profits citing it as a key challenge.

The repercussions of this gap – financial losses, reputational damage, and operational disruptions – are too significant to ignore. Therefore, regardless of size or cyber maturity, all financial institutions must prioritise fundamental cyber hygiene practices to enhance their resilience.

The Missing Link: Culture as the Foundation of Cybersecurity

Even the most advanced cybersecurity strategy can falter if an institution does not foster a robust organisational culture that ingrains cybersecurity into the firm’s DNA. This culture must promote a shared understanding that security is a collective responsibility and prioritise cyber awareness and hygiene to ensure the long-term effectiveness of security technologies.

Leadership plays a crucial role in shaping this culture by championing and modelling strong cyber hygiene practices. Employees look to their organisation’s leaders to set the tone from the top, with 80% of respondents to a 2024 LogRhythm report believing that cybersecurity leaders and CEOs should be primarily responsible for defending against and responding to cyber incidents. Leaders within the institution should also implement clear cybersecurity policies and procedures and ensure these are communicated clearly and regularly to all employees. Additionally, leaders should provide employees with ongoing cybersecurity training and resources, including phishing and social engineering awareness, data handling best practices, two-factor authentication, and endpoint security.

Employees, in turn, should be equipped with the knowledge and skills needed to recognise and respond to threats through regular training and awareness programmes. This education must go beyond surface-level instructions; it should cultivate a deep understanding of the evolving threat landscape and provide practical tools for recognising and mitigating risks in real time. Creating systems that can detect unusual behaviours and patterns, and gathering intelligence to identify look-alike websites that pose phishing threats will help employees build skills and confidence.

Human decisions play a critical role in security outcomes, especially as increasingly rampant social engineering tactics like phishing exploit human psychology. According to the Financial Services Information Sharing and Analysis Center’s (FS-ISAC) Navigating Cyber 2024 report, generative AI is expected to fuel a rise in phishing emails and deepfakes, and notes an increasing trend in smishing (SMS phishing) – the use of social engineering through mobile texting and QR code phishing.

In Singapore, the average amount lost per scam was SGD14,503 in 2024, marking a 7.1% increase from the previous year. Most fraud incidents start with social engineering exploits that open breaches in the firm’s systems. In the first half of 2024, the most common types of social engineering scams involved e-commerce, job posts, and phishing. Hence, a strong culture of awareness can empower employees to identify and mitigate these threats. This is especially crucial as adversaries increasingly use generative AI to craft sophisticated scams, including deepfake video, audio, and one-on-one communications. Tailored training that addresses the specific risks associated with different roles can further solidify a culture of vigilance.

This rising incidence and sophistication of fraud schemes highlight the need for financial institutions to secure their infrastructure while also focusing on external customer protection. Customers should know how their financial institutions will communicate with them so they can flag irregular messages as potential frauds, and they should be able to report such attempts easily. Ideally, financial services firms should have a process to receive and parse those reports and share them internally. Aggregated shared signals could lead to preventative actions.

A holistic approach is essential, integrating fraud prevention into application development, product design, and service delivery. As part of fostering the sector’s collective resilience against disruptions, industry organisations such as FS-ISAC play a leading role through a growing suite of anti-fraud initiatives, including fraud intelligence alerts and reports, coordinating sector-wide efforts to enhance collaboration via intel and data sharing, and law enforcement coordination.

Cyber Hygiene as a Default State of Mind

Improving an organisation’s security posture requires a commitment to everyday practices that reinforce cyber hygiene – these practices should be so ingrained in the organisation’s protocols and framework that they almost become second nature.

Training employees on cybersecurity is essential as security is everyone’s responsibility. Regular education on protecting systems, especially against phishing scams, is crucial. With the rise of sophisticated scams driven by generative AI, employees should be trained to evaluate behavioural cues and question, “Would this person make that request?”

One effective approach is to conduct regular phishing simulation exercises that can involve emails or messages that mimic real-world phishing attacks. Employees who fall for these scam simulations receive immediate feedback and additional training on recognising phishing signs and other social engineering red flags.

Another important practice is to regularly conduct incident response exercises that simulate various types of cyberattacks in order to build muscle memory. These exercises should involve cross-departmental teams to ensure everyone understand their role in a real-life incident. Post-exercise reviews and feedback are crucial for refining response strategies. Further, developing various incident response plans tailored to specific attack types is essential. These plans should outline security and recovery steps before, during, and after incidents and must be approved by senior leadership.

Incentivising good cyber hygiene practices can also reinforce a security-focused culture. Recognising and rewarding employees who demonstrate exemplary behaviour underscores the importance of these practices and motivates others to follow suit. Positive reinforcement helps transform good security habits into a natural part of daily routines

Alongside culture, understanding your systems is crucial for defence. An updated inventory of all assets on the network, including physical hardware, remote devices, and cloud applications, should be maintained. Regular software updates with security patches are vital, as these patches fix vulnerabilities and enhance overall security.

FS-ISAC’s latest resource on Cyber Fundamentals emphasises the importance of implementing multi-factor authentication (MFA) across all accounts, both internal and external, which can significantly reduce the risk of account compromise.

Additionally, the guidance encourages users to create longer passwords, within reason, to further enhance security. A zero-trust policy, which requires validation for anyone accessing applications and data, combined with the principle of least privilege, ensure users have only the access they need. When paired with MFA, these measures make it much harder for threat actors to infiltrate the system.

Resilience: A Moving Target

Finally, resilience is an ongoing – and never-ending – process, not a one-and-done item that can simply be checked off a list. To ensure continued resilience amid a constantly evolving threat landscape, regularly testing and refining security measures is key. This can include conducting simulated phishing attacks and cyber exercises to assess employee vigilance and running penetration tests to identify and address vulnerabilities before malicious actors can exploit them. These proactive steps can help organisations stay ahead of potential threats and continuously improve their cyber hygiene practices and overall resilience.

No organisation, regardless of size or resources, can completely prevent all cyberthreats – highlighting the critical importance of building resilience. By integrating best practices into daily operations and cultivating a strong culture of cyber awareness, organisations can create a human firewall that is essential for establishing resilience against ever-evolving cyberthreats.

In turn, cultivating a cyber-aware culture requires collective effort. Leadership must set the tone but the vigilance of all employees is crucial to creating a secure environment. By fostering a shared commitment to cybersecurity and empowering employees to make informed decisions, organisations can strengthen their human firewalls and enhance their technical defences.

Christophe Barel is the Managing Director for Asia Pacific at FS-ISAC, the member-driven, not-for-profit organisation that advances cybersecurity and resilience in the global financial system, protecting financial institutions and the people they serve. Founded in 1999, the organisation’s real-time information-sharing network amplifies the intelligence, knowledge, and practices of its members for the financial sector’s collective security and defence.