SANS 2016 Survey

Key Awareness Findings from the SANS 2016 Survey on Security and Risk in the Financial Sector What if you could peer into the front lines of the battle against cyber threats in the financial services sector? What role does security awareness play in thwarting attacks? The 2016 SANS Survey on Security and Risk in the Financial Sector highlights the key attack vectors faced by the industry and the controls that are working. The report surveyed 238 professionals who represent the front lines of IT security in the financial sector. Cybersecurity expert and report author G. Mark Hardy remarked that “the survey serves to educate the IT community about what’s working in the defensive battle IT pros find themselves in—and, equally important, what’s not working and what could use improvement.”

Ransomware on the rise

While the finding that spearphishing and ransomware were the most common types of attacks on financial sector firms might not surprise security awareness professionals, the speed at which ransomware made the top of the list was noteworthy. Ransomware was reported as the top threat facing financial firms. Commenting on the difference between 2015 data and the 2016 report, Mr. Hardy noted that “in a matter of months, ransomware rose to the top, showing just how fast the ransomware threat is growing.” He noted that ransomware was barely on the radar in the 2015 financial services survey.

“It’s not surprising that organizations are enlisting email security monitoring and enhanced security awareness training to protect against phishing and ransomware.”

Humans (and their behavior) still a top target

Human behavior is the thread connecting the top attack types and Mr. Hardy noted that the top two attack vectors rely on the user to click something. He went on to comment:

Ransomware and phishing usually originate from outside the organization and involve some form of social engineering that convinces and co-opts the user into careless or dangerous behavior that allows the attacker to gain a foothold in the enterprise. As such, email security monitoring and enhanced security awareness training lead the list of controls that organizations use to protect against phishing and ransomware,

When it comes to defending against these and other attacks, awareness was reported as a key defense strategy.

Security Awareness seen as an important control

Employee awareness training was the third-most cited control to defend against all threats out of 20 controls and 93% of respondents cited security awareness training as an most effective overall control to protect their organization. While new threats seem to come and go, the need to foster more secure human behavior is constant. Read the full report. See how the Advanced Cybersecurity Learning Platform makes it easy to establish a mature security awareness program.