June 09, 2016

World Banking Breach: How the Financial Sector Can Reduce the Risk

The most brazen world banking data breach of all time, it seems, occurred when cyber criminals broke into Bangladesh Bank in February and made off with $81 million in fraudulent transfers. According to reports, the money was routed to accounts in the Philippines and casinos there.

Reports also say that a lack of security is to blame for the world banking breach. At the same time, the attack shows digital criminals have become more sophisticated. In the past, they targeted personal bank accounts and stolen credit card credentials. Now they’re going after the banks themselves.

The financial services sector is definitely under attack.

PricewaterhouseCoopers (PwC) research found 45% of financial institutions suffered from economic crime in 2014 – compared to 34% across other industries.

A 2015 Raytheon Websense report showed that financial services encounter security incidents 300% more frequently than other industries.

The Raytheon report explained that targeted phishing attacks are used to lure employees into installing malicious software on corporate networks. In fact, 33% of all lure stage attacks target financial services.  

‘Typosquatting’, which is the use of look-alike domains of banks, also lures customers to fake bank websites. There’s usually a spelling mistake in the URL (it may be .co instead of .com, for example).  Financial services ranks third for targeted typosquatting – and is one of the most frequent to fall for the attack too.

What are best practices of a protected workplace?

  • Understand legal obligations. The Gramm-Leach Bliley Act (GLBA) covers the protection and privacy of consumer information in the financial services industry. It is administered by the Federal Trade Commission (FTC). To ensure compliance, establish detailed policies and procedures including threat intelligence, proactive prevention, faster incident detection, and immediate response.
  • Ensure fundamental safeguards for effective cyber security. It’s not just about preventing a breach but about discovering and stopping it quickly. The thieves in Bangladesh may have spent months lurking inside the central bank’s computers studying how to gain access. There should be on-going monitoring, a back-up policy, and a breach response plan.
  • Use encryption for all confidential information. The Wall Street Journal pointed to a recent study that suggested while 90% of banks encrypt transmitted data, only 38% encrypt data at rest. Plus, 30% of banks surveyed did not require multifactor authentication for third party vendors.
  • Educate employees. The PwC research said employees on all levels have to be educated about cyber threats. Information security is also about workplace habits such as embedding security into all operations. Conduct regular risk assessments, back up information, and have a business continuity plan.   
  • Create safeguards to reduce the risk of insider fraud. The PwC report showed that 1 in 5 internally perpetrated frauds still involve senior management.
  • Implement a comprehensive document management system. Security procedures should include access controls to limit privileged user access. Sensitive information on paper and in digital format has to be protected from creation to disposal. Partner with a document destruction company that has a chain of custody and provides on or off site secure destruction services.

A comprehensive document management policy is critical in a protected workplace.