Hackers bank on security fatigue to make off with the gold

Hackers bank on security fatigue to make off with the gold

Gregory Webb

CEO at Bromium

Views 709

Hackers bank on security fatigue to make off with the gold

13.12.2016 10:30 am

Just a few weeks ago, Tesco Bank became the latest financial services firm to suffer a cyber-attack, with £2.5 million stolen from 9,000 customer accounts. However, this problem isn’t limited to Tesco; a Freedom of Information (FoI) request has revealed that all of the UK’s major banks and lenders have suffered a data breach since 2013. Whilst the original source of these threats is usually external, it’s insider carelessness and end-user security fatigue that black hats often take advantage of to compromise banking systems. 

The U.S. National Institute of Standards and Technology (NIST) recently branded this a major threat. That risk is felt especially heavily in the financial services industry, where the rise of digital banking has connected our cash to the web, giving cybercriminals a direct route into the bank vault from the comfort of their armchair if they can breach its cyber-defences. Security fatigue is making that task increasingly easy; people often opt for easily-guessable passwords, or are tricked by phishing scams that install key-loggers to capture security information from their devices.

Paying the price for their mistakes; users take the blame for breaches

Unfortunately, attempts to control user behaviour and stop them from making these mistakes are backfiring, leading them to make even more risky decisions. Better education and awareness-raising certainly has a role to play in solving this issue, but ultimately, we must realise that humans will always make mistakes. We should stop trying to make people paranoid and expecting them to act like machines. Instead, we can put in place measures that will protect our digital banking systems and financial data, no matter who’s sitting in front of the screen and what mistakes they make.

Cyber-fatigue is often a result of the fact users are increasingly bombarded with alerts and forced to remember countless passwords for online accounts; it’s exhausting having to be constantly on guard against a never-ending barrage of threats. This resignation and loss of control can lead many to behave impulsively, ignore best practice advice and choose the easiest option available to them, which is usually not the most secure.

In the workplace, this becomes a major challenge, especially considering the range and volume of threats facing financial services organisations, which are a highly lucrative target for cybercriminals. Bank staff should be the first line of defence, but too often they are the weakest link. It takes just one click of a mouse by one employee to accidentally open a malware-laden attachment or follow a malicious link, and there are plenty of opportunities to do so these days. This is a significant problem - Verizon’s DBIR 2016 revealed that nearly a third (30%) of phishing emails get opened and 12% of users go on to click on the attachment or link.

Stop shaming end users; provide security that gets them back to work

There’s a risk that the constant scaremongering around employees’ mistakes leading to security breaches could cause paranoia that impacts their productivity. Ultimately, if people are too scared to do their jobs for fear of what they might unwittingly unleash, the business will suffer.

We need to understand that users will always make mistakes and attacks in any case have become increasingly difficult to spot. Targeted spear phishing campaigns would trick all but the most eagle-eyed employee, as we’ve seen from cases of CFO and CEO ‘whaling’ fraud. You can’t stop your marketing team from using Twitter, or ban the finance department from opening audit reports sent via email. That’s a sure-fire way to harm productivity, add to your users’ security fatigue, and introduce the unwanted risk of Shadow IT.

CISOs in financial services firms therefore need to look at where the latest technologies can help to complement the people and process improvements they are making. For example, huge leaps have been made in the use of micro-virtualisation in security, which can help to reduce the bank’s attack surface. By running every workload in its own isolated environment, users are free to make mistakes and behave insecurely without fear of the consequences.

Why so cavalier? Because every time a malicious piece of code is encountered, it is fully contained on the micro-VM – unable to spread or cause any damage. When the app is closed, the VM disappears, terminating the malware. No remediation is needed, there’s zero dwell time, and emergency patching becomes a thing of the past – freeing up stretched IT teams to concentrate on more important strategic tasks, like delivering the next online banking revolution.

Allowing end-users the freedom to click without fear of the consequences fosters speed, innovation and learning. This in turn is likely to reduce security fatigue: creating a win-win for everyone from the CEO, to the bank-tellers behind the counters in its branches.

 

Latest blogs

N/A ReliaMax

College Dreams? Here’s How to Get Accepted

Higher education in the United States is not just about getting accepted, it is about where you get accepted. Sure, there are options, there are seemingly endless options - from community colleges to Ivy League schools and everything in between. The Read more »

Bobby Gill GCWealth

Bobby Gill: 3 Ways Fintech is Helping Small Businesses During the Pandemic

Image Source: Pixabay. Back in April, the US oil prices sank to a 20-year low. In the UK, road traffic levels hit a 70-year low. Worldwide, due to lockdown, retail, travel, and restaurant bookings have dropped by 85%. More than 430 million Read more »

Christa Ardley Bitstocks

Bitcoin and blockchain without the b******t

An industry once viewed by the general populace as a haven for criminals and online scammers, and still somewhat marred by fractious in-fighting, Bitcoin and blockchain are gradually casting off their outdated negative reputation; as the focus Read more »

Otabek Nuritdinov Safenetpay

Beyond Payments Services

    Why it really matters for small for medium-sized enterprise (SMEs) to choose the right payments services provider. Strategic planners in the financial services sector often define their business in terms of products that Read more »

Chak Kolli DXC Technology

How Can Insurers Realise the True Value of AI?

As Artificial Intelligence (AI) and digital transformation find their way into every aspect of our daily lives, we are gradually seeing changes taking place in different sectors. Progressively, AI is permeating the insurance value chain and it is Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel