I believe that most dangerous attacks are combined attacks – when external parties find insiders in your company, begin to interact with them, and then gain access to your computer systems. This symbiosis turns out to be extremely dangerous. An employee can be bribed and persuaded: “Give us this data or give your account credentials, and you will become very rich.” This is the worst scenario. The results obtained in this symbiosis can be dire.
However, there may be no accomplices at all if we are talking about the exploitation of technical vulnerabilities. But if business owners are serious about protecting against different external threats, then attackers have no choice but to look for ways to collude with target company employees.
In such situations, Elliot Alderson from “Mr. Robot” always comes to my mind, who says:
“People always make the best exploits.”
It is often easier to hack\trick\bribe people; you just have more opportunities here. Elliot Alderson also says:
“If you listen to them (people), watch them, their vulnerabilities are like a neon sign screwed into their heads.”
However, numerous other scenarios are possible when the villains can do something bad without accomplices inside the company. Security often depends on the maturity of the business processes.
Data breaches in the banking sector – the negligence of employees or evil intents
The person is prone to making operational mistakes. Any rash action by an employee that violates corporate policies and information security rules may result in data leaks, ransomware attacks, and other troubles. So, it is important to build business processes so that employees do not even have a chance to make a mistake.
Situations in which people purposefully harm an organization or customers are exceptional, but it takes a lot of effort to prevent them.
Let us imagine a situation when an employee has full access to customer data. He has a lot of work and does not have time to complete one important report. So, he wants to work from his home computer on the weekend. He does not realize that he can ask for remote access. Instead, he will try to send the necessary client data to his personal email. This is a classic example of not just negligence but a zeal for work that does not fit well with corporate security policies.
Most dangerous incidents that lead to maximum financial losses for banks
- Direct impact on payment processes is one of the most critical issues. Let us imagine hackers gained access to the payment module and took over the administrator’s rights there. They can make payments that no one has initiated or modify legitimate payments – change the recipient or the amount and recipient. This creates the greatest damage since fraudsters receive money immediately and do not need to perform any additional actions, for example, sell data.
- This second scenario is close to the first, but the actor is different. It is also a direct impact on the payment process, but here, employees are involved. Again, it can be done on purpose or something can be overlooked in the bank somewhere. For example, if the functions of a “maker” and “checker” (the one who creates the payment and the one who checks it) are poorly configured.
- The third dangerous situation is the loss of large corporate clients if their information is not carefully processed in terms of confidentiality. No organization will like it if its account statement suddenly becomes publicly available. This will definitely cause a scandal and the end of any relationship with the bank.
If you read the news for the current year, most of the data breaches that were advertised as banking actually originated from online retailers. If you study what set of fields these public leaks consist of, you always conclude that this data set originates from an online store.
As to bank statements, yes, really, such type of fraud (if we use the legal terminology) or service (darknet terminology) exists on the black market. Something may go wrong, and data can be lost. Bank security officers should regularly watch so that their data does not appear there. Fundamentally, this is strongly related to the corporate culture in each specific bank and whether employees understand the illegality of selling data and to whom this data belongs.
You should always try to recruit only the right people to the bank. You may have work disputes, but at the same time, each of the employees must understand that customers are the main value. Workers should never encroach on sacred things like customer data. The security department should strictly limit any external influence and access to data.
Why regulators monitor PCI DSS compliance but rarely fine banks for data breaches
I would not say that the regulators do not pay attention to this. Sometimes, we can find news and read about big cases. If we are talking about card data, even if there is a slight suspicion of a leak, both Visa and MasterCard always pay serious attention to this. The bank that was breached will definitely have hard times.
However, it is important to note that data breaches are not always easy to prove or refute. The organization must have the appropriate equipment to reliably determine the fact of a data breach.
Regulators pay enough attention to leaks, but these processes remain in the shadow because the proceedings conducted after such incidents are complex and lengthy. The conclusions of these proceedings, unfortunately, are probabilistic; often, it is impossible to punish the bank since it followed all the rules.
Investing in information security
When we talk about information security and budgeting, we somehow estimate the cost of countering risks. If this cost is less than the value of the assessed risk, then everything is OK. In this case, we can call it an investment since we are investing in something that prevents risks from materializing.
However, often, budget allocating happens with thoughts like: “Oh, it would be very good to have this solution.” People do not really understand why they need it, what bad scenarios the software will prevent, who will work with it, etc. In my opinion, this shows the unprofessionalism of managers who work in information security.
At the same time, I think that this practice is coming to naught, professionalism in the field is growing. I hope that in the near future, everyone will understand that there are many risks and there are different types of investments that help to prevent risks.
The payback period depends on the class of solutions and the threats that are opposed. In the banking sector, in the case of anti-APT solutions (to counter targeted attacks), the payback period is usually a year or two. For DLP solutions, the payback period can be shorter, maybe even several months, depending on how correctly the system is configured.