Infosys Ransomware: How BofA and Fidelity are feeling the pinch

In November 2023, Infosys McCamish Systems experienced a data breach affecting 57,000 Bank of America customers. This breach was publicly disclosed in February 2024, revealing the exposure of personal information related to deferred compensation plans. The Lockbit ransomware gang claimed responsibility for this attack, highlighting the vulnerabilities third-party vendors can introduce into the cybersecurity landscape. Bank of America responded by notifying affected customers and offering identity theft protection services. This incident underscores the need for stringent security measures and the importance of protecting sensitive customer data​​.

The Human Element in Cybersecurity

In the wake of recent cybersecurity incidents impacting nearly 90,000 individuals, it's clear that the industry must adopt a more comprehensive approach to risk management that equally emphasizes the human element alongside technological defenses. 

These breaches, while unfortunate, serve as crucial reminders that organizations are not just victims but also key players in fostering a culture of security. Reframing, not blaming, we can utilize these incidents as opportunities for reflection and strategic planning, companies can engage in meaningful dialogues with executives, boards, supply chains, and third-party vendors. 

Prioritizing human risk audits, culture-first engagement, and internal social engineering penetration testing for 2024—with plans for further investment in 2025—is not just prudent; it's essential for aligning values and culture with the rigorous demands of contemporary cyber risk management. This approach underscores our collective responsibility to elevate industry standards, ensuring that every stakeholder is committed to a higher standard of accountability and care.

The Core of Cyber Vulnerabilities: Culture and Values

An organization's culture and values significantly shape employees' understanding and response to cyber risks. These foundational elements dictate how threats are identified, the seriousness with which policies are adhered to, and the overall alignment between cybersecurity practices and company ethos. Without a deep-rooted concordance between these aspects, an inherent risk remains. This section emphasizes the pivotal role of embedding cybersecurity within the organizational DNA, ensuring every employee not only understands the "what" and "how" but also deeply connects with the "why" behind cyber-safe behaviors.

Case for Human Risk Audits

Human risk audits (such as our own Cyber Human Baseline Assessment ) are crucial for uncovering the cultural and behavioral vulnerabilities that traditional cybersecurity measures often overlook. These audits delve into the very fabric of an organization's culture, identifying how employee behaviors and attitudes towards security can either strengthen or weaken its defense mechanisms. By understanding the human elements that contribute to cybersecurity risks, organizations can develop targeted strategies to mitigate these vulnerabilities. 

The benefits of such audits are profound:

• Proactive Security Posture: Transitioning from a reactive to a proactive approach in cybersecurity, allowing organizations to anticipate and mitigate risks before they escalate.
• Informed Decision-Making: Providing valuable insights into the human aspects of security, leading to more informed decisions regarding policy updates, training programs, and security measures.
• Culture-Driven Cybersecurity Practices: Cultivating a security culture that aligns with organizational values, ensuring that every employee is engaged and invested in maintaining cybersecurity protocols.

By conducting human risk audits, companies can enhance their overall security landscape, making it more resilient against internal and external threats.

Cultivating a Culture-First Approach

A culture-first approach is pivotal for multinational organizations aiming to enhance cybersecurity. Recognizing the diversity within global entities, this strategy emphasizes the need for tailored programs that respect and align with varied cultural norms and employee perspectives across different regions. By prioritizing cultural concordance and mutual accountability in security practices, companies can foster a secure environment that engages all employees effectively. This approach allows for nuanced, audience-aligned change initiatives, moving away from ineffective one-size-fits-all directives. Implementing such programs with a deep understanding of the organizational culture ensures a more purposeful and impactful cybersecurity posture.

Social Engineering Pen Testing: An Internal Capability

Penetration testing, particularly focused on social engineering, is essential for assessing an organization's human vulnerability. This form of testing goes beyond technical defenses to explore how individuals within the company respond to deceptive tactics that mimic real-world attacks. It's a practical assessment of susceptibility to tactics like phishing, pretexting, and baiting, deeply tied to the organization's culture and psychology. More thorough social engineering pen tests could potentially have highlighted vulnerabilities, offering insights for strengthening defenses and preventing incidents akin to the breaches recently experienced. This approach emphasizes the need for cybersecurity strategies that are as sophisticated in understanding human behavior as they are in technological measures.

Elevating Cybersecurity Through Human Understanding

Navigating the complexities of embedding a culture-first cybersecurity strategy within multinational corporations presents a formidable challenge. Many organizations grapple with the intricacies of crafting and implementing such programs, seeking assurance and support for effective execution. Recognizing this, there is a valuable opportunity for partnerships with specialized firms that can elevate cybersecurity measures from mere training to comprehensive, culture-oriented initiatives. These collaborations aim to introduce new metrics and methodologies that address human risk more effectively and swiftly, thus enhancing organizational resilience against cyber threats.