Speaking at the InfoSecurity 2019 conference in London this week, HSBC's European CISO Paula Kershaw revealed how the bank promotes better information security habits among staff members through its "cyber champion" scheme

HSBC Canary Wharf Barry Caruth via Wikimedia Commons

HSBC Canary Wharf (Credit: Barry Caruth/Wikimedia Commons)

Falling foul of an online security breach is a scenario no company wants to encounter, but for a bank in particular – charged with holding highly sensitive information – it is a situation to avoid at all costs.

But while money can be thrown at top level security software and computer technology to bolster IT systems and protect customer data, it is the human element of the business that often leaves it most vulnerable to the machinations of hackers and online fraudsters.

For HSBC, a bank with more than 235,000 employees working across 66 different regions worldwide, the risk of exposure to a cyber-attack through human error is substantial – and it is the job of the 950-strong information security team to promote good practice throughout the wider workforce.

With 39 million customers worldwide depending on the bank to keep their personal information safe and secure, there is a lot at stake in terms of ensuring the brand does not become compromised by a data breach.


HSBC runs a ‘cyber champion’ programme to promote information security within the bank

Speaking at the Infosecurity Europe 2019 conference in London this week, HSBC’s chief information security officer for Europe and the UK, Paula Kershaw, shed some light on how the bank is trying to instil better security awareness throughout the whole staff network.

She explained how HSBC’s security team runs a “cyber champion” programme with the aim of attracting members within the business to become “cyber shields” and spread good practice throughout their own professional networks.

“Our ‘cyber shield’ network started in July last year from a standing start,” said Ms Kershaw.

“We started off with a couple of hundred participants, covering 235,000 colleagues across 66 countries.

bank information security
Paula Kershaw, HSBC’s CISO for UK and Europe. Speaking at InfoSecurity Europe 2019

“We now have 1,500 cyber shields, but there is still a long way to go.

HSBC is a global brand and we are actively building a globally connected cyber community that cuts across traditional lines – whether that’s a business line, or a country or a culture.

“It’s massively important to us as an organisation and as a security team.”

Last October, the network held 114 separate events to tie in with National Cyber Security Awareness Month, which attracted more than 20,000 HSBC staff to attend in person and a further 85,000 to register to the network and its newsletter.


HSBC bank takes a personal approach to cultivating good information security habits

The approach of this cyber champion programme has been to address employees on a personal level – promoting safe and secure IT habits at home, as well as in the workplace.

Ms Kershaw explained this helps to more effectively deliver the information security message, as well as getting people to “connect emotionally” with cyber security.

“There have to be advantages for the individual to participate and for the organisation to invest the time and money necessary to do this,” she said.

“Colleagues develop the knowledge and skills on how to protect themselves, their families and the people they care about.

“If we can engage our staff and teach them how to protect themselves, they will bring this back into the workplace.

“And we will get that emotional engagement from them, and the willingness to learn.”

bank information security
HSBC is teaching its employees how to steer clear of cyber threats


HSBC runs monthly events to engage staff with cyber security

A monthly cycle of events is run for the cyber shields network, including webinars, calls and videos, and are usually based on a theme – such as phishing, SMiShing or social engineering.

Ms Kershaw noted that one of the best-attended community events was in February, and focused on romance fraud.

“Our communications are not about HSBC or financial services – they are to do with the things that matter to individuals,” she added. “It keeps it relevant.”

The network has even launched its own internal awards programme – rewarding members for spreading the message about the importance of information security throughout the global HSBC workforce.

Ms Kershaw added: “People are doing this on their own time and in their own space, on top of very stressful jobs and busy lives. They should be recognised for that.”