Podcast 23 mins
Better Being Series: Understanding Burnout in the WorkplaceOn Aon Podcast: Intersection of Talent and Cyber for Banks
Episode 60: Our Aon experts discuss the intersection of talent and cyber security for financial institutions.
Key Takeaways
-
In this episode, Aon experts dive into the latest trends that are raising the cyber security stakes for banks.
-
Aon experts discuss tactics for assessing organizational vulnerabilities and strengthening protections
-
Episode 60 provides advice for effectively managing organizational-level cyber security efforts and talent.
Intro:
Welcome to “On Aon,” an award-winning podcast featuring conversations between colleagues on, well, Aon. This week,
we hear from Chris Blain and Spencer Lynch for a discussion on the intersection of talent and cyber for banks. And
now, this week’s host, Peter Keuls.
Peter Keuls:
Hello everybody. My name is Peter Keuls, and I'm a partner in the Talent Practice at Aon and have the pleasure of
hosting today's edition of the “On Aon” podcast. And today, we're talking about resilience and the critical
connection between Human Capital and cyber security of financial institutions. And with me today are two colleagues,
Spencer Lynch and Chris Blain. Spencer is an expert in cyber security and serves as Aon's head of Cyber Solutions in
the UK. And Chris is a great colleague and partner of mine in Aon's Human Capital Solutions business, with deep
experience working with global banks. So, thanks for being here today, Spencer and Chris.
Chris Blain:
Thanks, Peter. Thanks very much in including me in this conversation.
Spencer Lynch:
Thank you for having me here today too.
Peter Keuls:
So, let's get started. Spencer, could you tell our audience how you first got into the hot field of cyber security?
Spencer Lynch:
Yeah, sure. If I go back many, many years ago, I studied computer science and public policy, and I was trying to
find an intersection between those two and landed myself in digital forensics. Worked in digital forensics for a few
years, or maybe more than a few years, and slowly started the transition to, instead of waiting for things to go
wrong and then helping clients, instead spending time with them before things went wrong and trying to prevent them
or prepare them for things to go wrong so they could recover better. And that's really how I've landed where I am
here today.
Peter Keuls:
Brilliant. Happy and delighted to have you and leading our UK business. And Chris, tell us about how your financial
background has shaped your perspective as a human capital advisor, since you've got experience, both working in
banks and in the finance area.
Chris Blain:
Thanks, Peter. Yes, I've worked for a number of banks since I started my career, and then I moved into consulting.
Most of the work I've done with banks has been looking at how they perform, and also doing a lot of work
benchmarking and helping them with their cost base and doing a lot of this around their expense base. And then
laterally, I've been working in talent solutions in our commercial team, which has given me the opportunity to look
across all of our solutions, including talent assessment, reward and people advisory too, so that's given me a much
broader scope to work with.
Peter Keuls:
Fantastic. So cyber security is such an important topic for banks, particularly because banks really rely on the
reputation and the trust their customers have in keeping their assets safe. And I noted there were more than 5,000
suspicious activity reports filed by the SEC-regulated firms in 2022, which is up from closer to 500 just four years
ago. Spencer, what trends are you seeing that are raising the stakes for banks in this area and this incredible
growth?
Spencer Lynch:
Yeah, sure. I mean, cyber security, I think, has always been a concern, but as you say, it's becoming more and more
pressing for banks and other financial institutions. For one, whereas if we rewind the clock a few years, threat
actors and the hackers out there, we're looking at stealing personal data, often just for the sake of personal data
and reselling it, and they're now more focused on how they can monetize their attacks, so that's one concern. And
they've gotten very good at monetizing their attacks. We've seen the epidemic of ransomware and other forms of
extortion.
There's also a concern for the banks around the regulatory environment that they operate in. They've always been
traditionally regulated by financial regulators. Here in the UK, we have the FCA. But with more and more data
privacy regimes and cyber security controls being regulated through things like GDPR, and they're now finding
themselves sometimes dual or triple regulated, depending on the jurisdiction they're in, which increases the threat
of regulatory fines and other pressure that they face.
And I think the other concern is that with how long there's been a problem with this kind of data theft, and people
have been receiving these breach notifications, that your average consumer is starting to lose attention to the data
breach notifications that they get. You get something in the post that says, oh, your data's been lost. And you
think, okay, well, I think my address and email address have been compromised like 17 times so far year to date, so
what's this? That said, people aren't losing their concern around their own financial assets. So, if you get a
message from some random company that you bought a pair of shoes from, maybe you don't care so much, but if you're
getting that message from your bank, that really does start to concern consumers. So, I think that the banks have a
harder time of it, managing their reputation than some of the other industries that are also involved in cyber
security.
And then maybe finally, the last trend I would hit on, which is even more recent, generative AI and the ease with
which now that with all the data that's already out there, hackers and threat actors can impersonate people and
generate really convincing phishing messages and other forms of, be it verbal or even deep fake videos. It's just
making the problem worse and worse for everyone in cyber security, but as I said, banks and financial institutions
have a specific focus, because they're closer to the money.
Peter Keuls:
Right. Yeah, definitely a huge target, and incredible to see how quickly things are evolving, and worrisome about
the impact that AI can have on all of this. Have you seen AI being deployed already against banks and hacking
attempts from phishing accounts?
Spencer Lynch:
I think it's tough to point to any one attack and say, oh this is definitely coming from AI, but there's certainly,
just with the advent of Chat GPT and other forms of generative AI, been a notable uptick in the quality of phishing
messages that people received. It often used to be that you would train people on how to identify a phishing message
by telling them it's not going to make a whole lot of sense and it's going to have grammatical errors in it, and
that's not really viable anymore. It's pretty easy to get a grammatically accurate phishing message from AI if you
wanted to. And it's also not hard, I don't want to say it's as easy, but to seed AI with the specific communications
from one individual and say generate me a message that sounds like it was written by this person. So that's also
something that we'll probably see more and more of in the future.
Peter Keuls:
Or even a voice message that sounds like an executive at the bank.
Spencer Lynch:
Exactly.
Peter Keuls:
Since these people usually have lots of public domain recordings. Chris, how are talent trends impacting cyber
security?
Chris Blain:
I think what we're seeing is any IT-related roles, there's a talent shortage and a skills shortage. So, as we see
more cyber attacks and more breaches, banks are grappling with trying to ensure that they retain their people with
those skills and try and attract that talent as well. So they need to ensure that they're paying at the right
levels, and in talent solutions we have probably the best data around that, and are they attracting the right
people? And we have an assessment practice, which can help with that too. So as far as people are concerned, it's a
difficult marketplace, and I think Spencer will agree that where he sees cyber incidents, it normally relates to
people and not the IT application itself.
Spencer Lynch:
Yeah. And then Chris, I agree with you actually on both fronts, the challenge on attracting and keeping talent is
incredibly important in cyber. The talent shortage is huge. So it's certainly something that all industries, banks
in particular, need to be looking at.
And then yeah, on the targeting side, and I still do a lot of incident response and constantly say that the majority
of cases that we see start with a person. It's a people problem. It's usually not a technology problem. The phishing
emails will get through whatever filtering you have. Unless you're just going to tell people we're no longer
conducting business over email, phishing is something you're going to have to deal with. And its people that are
clicking on the phishing links and typing in their username and password, or running the program, opening the
attachment that they shouldn't have. So, there is a huge people component to cyber security.
Peter Keuls:
And how have remote work trends impacted this employee vulnerability, when tens of thousands of employees of the
bank could be working from home, on home networks?
Spencer Lynch:
Yeah, I think it's stabilized to some degree, but if you look at what I'll call the crash rollout of remote working
that occurred during the pandemic, the tax surfaces for companies grew rapidly as they tried to figure out how to
enable their workforce to work from home, oftentimes without the change management that might occur. If you look at
normal IT change management, you may be talking about months or years to make a major systems change, and we saw
major systems changes executed in the span of weeks.
So, you've got the problem on the attack footprint and the amount of space you're trying to protect as an IT
security manager, coupled with everyone being remote. So people lost that direct supervision and the direct
correspondence with people. It used to be that you could very easily just turn your head and say, "Hey, Bob, are you
the one who sent me that email, because it seems sort of weird?" But Bob doesn't sit next to you if Bob's at home
and you're at home. So, people lost the person-to-person connection, and that makes it harder to defend against some
of these attacks. So remote working has definitely had an impact.
Peter Keuls:
Doing on remote working. Now have you seen any specific trends from banks after the pandemic?
Chris Blain:
Well, I think we've also seen the announcement in the press by certain banks regarding their employees, some saying
that they should all return to the office by a certain date or they should be now spending all of their time back in
the office rather than at home, especially in front office roles where there are certain regulatory requirements. As
far as attracting staff goes, I think we've all been involved in the recruitment process. I think a lot of questions
that especially younger colleagues will ask is, what are the rules around flexible working? So as far as the
employee value proposition goes, it's clear that a lot of people are looking for that extra flexibility now, and to
rule that out completely could probably put you at a disadvantage in the marketplace. So, I think things are
starting to settle down, but there are a lot of different new snippets that we're hearing around what people are
doing around remote working and flexible working.
Peter Keuls:
Right. It seems like remote working, to some degree, is here to stay, which means that this challenge of managing
this expanded attack footprint is something that the cyber professionals in the bank will have to cope with for the
first time.
Chris Blain:
Definitely, yes.
Peter Keuls:
So, it seems like the first challenge is to understand the vulnerabilities at a bank, and you're saying that
employees are usually the most important vulnerability in the cyber security area. So how can a bank, how can it
assess their organizational vulnerabilities? From a down perspective, how you can assess the organizational
vulnerabilities, and then we'll turn to Spencer to talk from the technical dimension.
Chris Blain:
We have an assessment practice or platform, and we can design a number of different assessments. You may be
employing somebody who's got additional access to certain applications that hold very sensitive data. You may want
to assess those sorts of people to ensure that they are the right sort of person to be giving that access to. So
that's one of the ways that you could check, either before they're employed or before they move into a role where
they would have that type of access.
Peter Keuls:
And how do those assessments work?
Chris Blain:
Most of them are actually online assessments, and they are designed by our own occupational psychologists, and
they're very good at getting actually to the root of how somebody works.
Peter Keuls:
Right, and I imagine identifying risk taking behaviors and who might be more prone to those behaviors that could be
a challenge.
Chris Blain:
Exactly.
Peter Keuls:
Fantastic. And so, Spencer, there must be continuous monitoring of the technical infrastructure. What can firms do
to assess whether they're doing enough?
Spencer Lynch:
Yeah, I think that's a great question, and I could speak probably for hours on how firms and banks can look at their
technical protections. I will try and avoid doing that and hit it at a high level. There are things like penetration
testing that lots of clients do, and it's often regulatorily mandated from a regulator that banks do it, effectively
pretend to be the hacker and break into the bank. There's vulnerability scanning, and ongoing and continuous
vulnerability management, where you check all the external infrastructure and see if there's any new vulnerability
that's been found. I think we all know now from the news over the past few years that it's not the case that people
are just sitting on knowing that these vulnerabilities exist, it's that a new one is discovered, and then you've got
a race to figure out is this in our infrastructure, and benchmark how long does it normally take us to fix these
vulnerabilities once they're discovered?
And then there's maturity assessments and other forms of benchmarking where banks can, and all industries can do
this, but look at and work with consultants to assess what they're doing across different types of controls and
control domains and compare that to industry benchmarks. Are we doing the right things on endpoint detection and
response? Are we as up to date as everyone else in the industry? Are we behind the curve? Are we ahead of the curve?
Are we doing the same thing on multifactor authentication? There are lots of different control domains you can look
at, but that's one thing that we work with clients frequently to do, is help them figure out where they are and how
does that compare to a peer group.
On the technical side, I think we also can do, and Chris, I don't know if this is something you want to talk to, but
I think we also sometimes do that on the people side as well. Do you have the right type of people? Is your
per-person spend right for your organization?
Chris Blain:
That's right. So, we have a lot of very granular data that we collect from banks. So, we have all of their cost and
headcount information both from their general ledgers and their own HR systems as well, and that allows us to
actually benchmark the spend of the cyber teams and functions that one bank has against a peer group of similar
banks. So, we can actually tell if they're either underinvested or overinvested, and are you spending more on the
cyber functions than the other banks typically would?
We can also look at how the cyber functions are organized. Are they outsourcing some of those functions rather than
insourcing them, and actually start to tell them which functions are typically insourced and which are outsourced.
So, the level of investment around cyber, in a typical bank, is enormous, running into tens if not hundreds of
millions of dollars. So, it's very important that they get the balance right in terms of cost, especially at a time
when banks are very, very focused on their cost base.
Peter Keuls:
I imagine those costs have been increasing rather than decreasing?
Chris Blain:
Yes, and we can really get underneath it as well. We can tell them if the cost overrun being driven by compensation,
the level and grade of headcount, or is it something going on in their non-compensation costs that are driving that?
Peter Keuls:
Great. I'm sure that's very helpful for a bank, to help understand what they need to be investing in, in cyber
security. And the stakes are high. It seems like such a complex, multifaceted problem that is changing all the time,
and as technology changes and threat actors evolve. And I'm sure it goes wrong often enough, and when it goes wrong,
it probably can go very wrong. Spencer, what are some of the case examples in where it's gone wrong, and what can we
learn from those failures?
Spencer Lynch:
Sure. I'll tell one story that went very wrong, and it could have gone much more wrong. I guess I'll start by saying
that. So this was an organization that generally had multifactor authentication on the remote access platforms, but
as they found out, not on all, there was a small number of remote access platforms that were used by, I actually
think they were contractors to the bank, not full-time employees, but to enable access to contractors who were
involved in IT administration.
And it turned out for them that one of their contractors was using a password that was the same password that he
used for pretty much every other online account that he had, and one of those accounts was compromised. And a few
weeks after that compromise occurred, and I don't know exactly how the threat actors decided to test his username
and password on this remote access platform, but they did, they probably found an email in his inbox, but they did
and got in. And from there, it went very bad very quickly. The threat actors mapped around the system, figured out
what systems they had access to, got access to all the KYC data that that organization had on their customers,
started encrypting that data, because they identified it as something that was important to the organization, so
started encrypting it in a typical ransomware attack, and exfiltrated it, stole a copy of it.
Where I said it could have gone a lot worse, one of the systems that they got access to was a database server that
also had a lot of transactional information about customer accounts. And without that system, the organization
would've had a very hard time, or at least been substantially delayed, in figuring out what balances on customer
accounts were. Thankfully, in the case I'm thinking of, the threat actor didn't do anything with that database. I
don't think they realized what they had access to, but it's pretty easy to see how that could have gotten much worse
quickly.
As it was, losing KYC information for all your customers was particularly painful, both because of the regulatory
obligations, they knew who they were dealing with, and not being able to see which customers have gone through a KYC
process and which have not was a problem, but also because they then had to tell all their customers, by the way we
lost scans of your passports. Which, even though I said at the beginning customers are getting immune to those data
breach notifications, they're much less immune when they're coming from financial organizations that they trust, and
passports are still something that people are pretty sensitive about.
Peter Keuls:
Yeah, that's a great way to lose a customer, isn't it?
Spencer Lynch:
Yeah.
Peter Keuls:
Chris, how can financial institutions manage cyber security more effectively from a talented people perspective?
Chris Blain:
As I mentioned when we started, the skill shortage is a real challenge for the banks, and they may want to look
outside of the normal functions to actually try to find people internally. What we've been doing is looking at
things like personas, and there could be a persona for people working in the cyber functions, and the skills
required could actually be sitting in other areas of the bank such as risk or other functions in IT. And again,
using assessment, we can assess to see if that some of those people could actually move into cyber roles, which
would be of great benefit to the banks, of course, but also opens up a great opportunity for people employed by the
banks, allowing them to move into new roles and actually maybe even increase their levels of compensation by doing
that.
Spencer Lynch:
And Peter, I was going to jump in, because Chris said something that triggered me, and I was trying to predict what
question you might ask me next. And when I heard Chris talking about people moving from other areas of the business
into cyber, it made me think how much of a benefit that could be. One of the areas that a lot of organizations
struggle with is that cyber is not as well connected to the business as it needs to be. So, they're trying to manage
cyber security and trying to think through what could the impact on the business be, but they're not the business,
they're not the ones dealing with customers every day. They can't predict all the different possible impacts, so
getting that cross pollination of thought, it's tremendously important for banks.
And trying to connect it back the other way as well, and getting every stakeholder organization thinking about cyber
as being something that they need to worry about. You may have a team that's dedicated to worrying about it, but
gone is the day where someone can say, oh, cyber, I don't worry about that, we have a team that does that,
particularly at the executive levels, but across the organization. If your average cyber attack starts because
someone clicked on a phishing email, people have to realize they've got to be aware and they've got to be part of
the solution.
Peter Keuls:
Yeah, it's everybody's problem. I mean, if I was a bank CEO, this would be a topic that would keep me up at night,
since so much is at stake and it's such a complex problem. What recommendations do you have for a bank CEO on how
they should structure and lead their executive teams to build more cyber-resilient businesses? Spencer, do you have
a point of view on that?
Spencer Lynch:
Yeah. I think, overall, it's we try and lead the culture to think of cyber security as a business problem and not a
technology problem. If CEOs and other executives can instill a culture within a bank or within any organization,
where everyone feels like cyber is partially their responsibility, they will be a much more resilient organization
than if they don't have that culture.
Peter Keuls:
Chris, from a Talent Solutions perspective, what can bank leaders do to better manage the organization to improve
cyber security?
Chris Blain:
Given, again, all the skill shortages and the talent shortages, it's very important that the CEO helps to ensure
that the workforce is resilient. And that's something that's a big focus for a lot of organizations at the moment,
especially around wellbeing, et cetera. So, if you have a resilient workforce, then they're more likely to stay with
the organization as well, so extremely important.
Peter Keuls:
True. Terrific. Well, Spencer and Chris, thanks for your insights today. This is a really important topic, and
following these recommendations, implementing them, really could be the difference between success and that
catastrophe for financial institutions. So hopefully the audience has been listening carefully and can reach out, if
they would like, for their input and advice. Thanks. That's our show for today, and thank you everybody for
listening, and look for the next episode of On Aon coming to you soon.
Outro:
This has been a conversation “On Aon” and resilience. Thank you for listening. If you enjoyed this latest episode,
tune in soon for our next edition. You can also check out past episodes on Simplecast. To learn more about Aon, its
colleagues, solutions and news, check out our show notes, and visit our website at Aon dot com
General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Aon's Better Being Podcast
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Aon Insights Series Asia
Expert Views on Today's Risk Capital and Human Capital Issues
Aon Insights Series Pacific
Expert Views on Today's Risk Capital and Human Capital Issues
Aon Insights Series UK
Expert Views on Today's Risk Capital and Human Capital Issues
Construction and Infrastructure
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Cyber Labs
Stay in the loop on today's most pressing cyber security matters.
Cyber Resilience
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Employee Wellbeing
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Environmental, Social and Governance Insights
Explore Aon's latest environmental social and governance (ESG) insights.
Q4 2023 Global Insurance Market Insights
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
Regional Results
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Human Capital Analytics
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Insights for HR
Explore our hand-picked insights for human resources professionals.
Workforce
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Mergers and Acquisitions
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
Navigating Volatility
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Parametric Insurance
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Pay Transparency and Equity
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Property Risk Management
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Technology
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Top 10 Global Risks
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Trade
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
Weather
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Workforce Resilience
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
More Like This
-
Podcast 23 mins
Better Being Series: Understanding Burnout in the Workplace
Our Aon expert and guest discuss the increasing dangers of burnout.
-
Podcast 14 mins
On Aon Podcast: Client Spotlight: Building a Cyber-Resilient Supply Chain
Episode 79: In this On Aon podcast episode, experts discuss new regulations, the changing landscape around cyber risk and how companies can successfully manage a cyber crisis.
-
Podcast 9 mins
On Aon Podcast: How has CrowdStrike Changed the Cyber Market?
Episode 80: Aon experts discuss the impact of the CrowdStrike incident and the cyber and supply chain lessons learned.