By Dan Potter, Senior Director, Operational Resilience at Immersive Labs
Cyber attacks are a concern for every sector, with the risk of operations halting or data being stolen. However, financial services face another challenge, unique to their sector.
One attack, or even the rumour of one, can cause mass hysteria among the public, which could lead to a financial crisis.
In this interview, Dan Potter shares his insights on the unique challenge facing the financial services sector and why skills-first approach is the way to address the problem.
Do you think the financial services industry is more vulnerable than other industries when it comes to data breach threats?
The financial services industry operates on trust. When markets or consumers believe a financial institution is at risk, fear can spread rapidly. If a financial organisation experiences a security incident, it creates a sense of insecurity across the whole sector. Even without a real cyberattack, this perception can trigger a ‘flight to safety,’ where customers withdraw funds en masse.
Such panic can destabilise not just a single institution but ripple across the entire financial sector. We saw this in 2008, when the ‘dash for cash’ liquidity shock disrupted almost every major bank. The psychological impact of perceived insecurity is significant.
So, the global financial ecosystem is deeply interconnected, and organisations need to push for collective resilience if they want to avoid any crisis.
Why is the human element so critical in securing financial services?
When you’re in a high-stakes environment like financial services, technology alone cannot fully protect against cyber threats. It’s just one part of the puzzle. Nearly 68% of breaches today are driven by the human element – through issues like error and social engineering.
Customer-facing employees are particularly vulnerable. They deal with countless queries daily, increasing the likelihood of missing a malicious email. This risk has grown as threat actors leverage GenAI tools to craft highly sophisticated phishing campaigns, masking their social engineering tactics more effectively. Without the right skills and training, it’s easy to overlook subtle indicators of compromise.
CEOs and board members are also prime targets due to their access to sensitive information. They face tailored phishing attempts that are difficult to recognise without proper training. If they fall victim, the consequences can be catastrophic, compromising the entire organisation.
So, all employees, from the boardroom to the front line, need the knowledge and judgement to act quickly and decisively.
What are some effective strategies for upskilling employees to deal with cyber threats?
Financial institutions must understand that cybersecurity is not a one-off exercise or an annual programme. As cyber threats constantly evolve, training must be continuous and relevant to current risks.
Building a strong cybersecurity culture is essential, and this begins with hands-on, scenario-based training.
Realistic simulations, such as phishing exercises and breach response drills, allow employees to practice responding to actual threats. This training embeds the necessary knowledge, skills, and judgement needed across the organisation.
Simulations should also reflect the threats faced by different levels of employees and offer tailored learning paths.
Customer-facing staff require training focused on detecting phishing and social engineering tactics, while executives need a deeper understanding of strategic risks and incident response. For the C-Suite and board members, these exercises should simulate high-level decision-making during a crisis, highlighting the potential impact of their decisions.
Also, cross-departmental collaboration during training is crucial, as cybersecurity is not solely the responsibility of the IT department. Finance, legal, compliance, and other teams all play vital roles.
Most importantly, financial organisations must regularly assess the effectiveness of their training programmes using metrics like incident response times, phishing test results, and resilience metrics.
These assessments ensure the workforce always stays prepared for evolving threats.
What is blocking such strategies from being implemented, and how can this be addressed?
For financial services organisations business growth, regulatory compliance, and customer satisfaction are usually the priority, not building a business-wide cybersecurity culture.
To overcome this, cybersecurity must be integrated into the fabric of all business operations. Leadership must emphasise that cybersecurity is not just an IT issue but a critical business priority. Regular communication from the top and setting clear expectations are both critical.
Some employees may resist change or feel that they already know enough about cybersecurity. To counter this, CISOs and security teams should tailor training to show the real-world impact of cyber threats, making it relevant and urgent.
Executives, for example, should see how a breach could directly impact the company’s bottom line and their own responsibilities.
Also, repetitive or generic training doesn’t work, and only leads to employee fatigue. Instead, training programmes must incorporate gamification, real-world simulations, and scenario-based exercises, so training becomes more interesting, interactive and impactful.
Addressing these challenges with a strategic and holistic approach can help financial organisations to successfully instil a culture of continuous cybersecurity education and awareness. This culture is vital for building a resilient workforce that can effectively protect the organisation against both current and future threats.
Addressing these challenges with a strategic and holistic approach can help financial organisations to successfully instil a culture of continuous cybersecurity education and awareness. This culture is vital for building a resilient workforce that can effectively protect the organisation against both current and future threats.
Addressing these challenges with a strategic and holistic approach can help financial organisations to successfully instil a culture of continuous cybersecurity education and awareness. This culture is vital for building a resilient workforce that can effectively protect the organisation against both current and future threats.