The most vulnerable point in a bank’s network today might just be Bill over in marketing — or any employee.
Humans are by nature vulnerable to social engineering and may discuss where they work on social media — LinkedIn is a treasure trove for would-be bank hackers.
A common attack against a bank goes like this. A hacker sends a harmless-looking email to a targeted employee or group of employees. The email contains a link that, if clicked, installs malware or surveillance software on the user’s machine. Sometimes just opening the email is enough to enable malicious code to activate. This software then harvests credentials for logging into other bank systems, or simply scrapes information from whatever databases the infected computer can access.
Far-fetched? Not at all. Earlier in April it was revealed the FDIC put 44,000 customer records at risk when a departing employee loaded up her USB drive with some extra data — accidentally, it was said. And once inside the bank walls, the damage can be tremendous. The largest bank breach in history took place because a server was missing a security update, and the breach went unnoticed for months.
The digital banking software provider Q2 helps banks guard against these threats by a stratagem that seems unusual, but has become commonplace in the corporate world — testing employees with fake phishing emails. Opening the emails can lead to mandatory education — we all remember driver’s ed — that should be a powerful disincentive for carelessness. On the other side, not opening the emails can lead to a small bonus or treat.
“Employees are your first line of defense,” said Jay McLaughlin, chief security officer at Q2. For about a year, the company has been sending fake phishing emails — targeted phishing is known as spearphishing — as often as once a week.
“We track metrics as risk indicators,” McLaughlin said. “One bank started at a 31% open rate. We got that rate down to 11% over a 12-month period.”
This is often the best way to fight off attacks of this kind because it is poorly understood where they originate from. “The unfortunate thing is we don’t know where they come from until someone clicks,” McLaughlin said. “We get a better idea when we see the malware and the payload.”
To mitigate risks, banks often limit IT privileges, seal USB drives, and wall off services such as Dropbox, said Julie Conroy, research director at the bank consultancy Aite Group. “It has to be on a need-to-know basis,” Conroy said, but noted that some employees need to know quite a bit — those able to access customer records in a support function, for example.
Conroy also noted that education was not enough and that banks must stage attacks in order to raise the level of employee vigilance. This method “has been out there for a while,” she said, but is becoming widespread.”
It ain’t easy being a bank employee.
“We have to understand that people make mistakes,” McLaughlin said. “We’re not really facing a tech problem, it’s a social problem. it’s the way we’re wired. Your trust is going to be abused.” McLaughlin warned that multiple plans need to be in place before, after, and during attacks, because no method of prevention will be foolproof. “It’s not a question of if, but when.”