Everybody likes the idea of a bank job, even if you work at a bank. Hollywood has shaped our perceptions, and there are 4000 a year in the US alone, although it’s rare anyone makes it away with anything of note.
- Northern Bank Robbery, Belfast, 2004 – £26.5 million taken in the days before Christmas. Robbers posing as officials tricked their way into the homes of workers and got access during working hours through holding families hostage. This was possibly the work of the Provisional IRA and is still unsolved. The timing was excellent as the robbers were up against a skeleton crew.
- Great Train Robbery, Buckinghamshire, 1963 – £2.6 million. High value packages en-route from Glasgow on a mail train. Fifteen robbers rigged the trackside signals, overpowered the conductor, and stole the packages. Well thought through.
- Bangladesh Bank, Cyberheist, February 2016 – Thirty five fraudulent instructions issued via Swift by hackers, transferring close to $1 billion dollars. Five transactions were successful, Thirty blocked by US Fed. $101 million transferred to Sri Lanka and the Philippines. Suspicions were raised by typos. This was aided by insiders although it is still under investigation, and possibly a state-sponsored attack as lots of funds made their way to North Korea.
The parallels between physical and digital are down to identity; is someone an internal member of staff or not. These things haven’t really changed at all. We are all getting compromised in the same way, such as in the recent Twitter attack, which was someone offshore running a password spraying script. The Verizon data breach report has a study of breaches each year, and 81% are down to weak credentials, so just hackers logging in. Security budgets should be focused here, as this figure is up 63% from the previous year, and we are doing little to stop this.
The Verizon report also shows that user credentials are targeted in over 90% of phishing attacks – usually employees are doing something stupid or aren’t trained to be careful, as attacks are usually via a key logger.
The Ponemon Institute issued a special media report on hacking. Employees going rogue is a worse hit than a hacker offshore because of the levels of access, and this needs to be stopped. There needs to be an identity-centric security approach or there is zero trust. The struggle is therefore security versus usability and this needs to work across the cloud – mobile and on premises. Security gaps are easily exploited, and are sometimes very basic, as with the Twitter hack.
Varying levels of security need a centralised log. Deep provisioning of accounts limits orphan accounts. With the Great Train Robbery, it was a separate system and the signals were compromised first. A more modern example, Target, had the HVAC systems compromised first – the single pane of glass.
Preparedness isn’t necessarily permanently high. Adapt and change security posture is necessary, with multi-factor authentication, or MFA. This shows up security gaps. Users want frictionless experiences of technology, such as those provided by Apple, and geo-location can be useful. Smart or adaptive MFA can decide when users should be challenged, and potentially help to move to a passwordless future. We are not quite there yet.
Automated lifecycle management – this is the last thing people think to do. It allows centralised policies to be implemented automatically, with no need for human intervention. When someone leaves an organisation, they need to be instantly de-provisioned as an insider breach is three times more damaging than one from outside. When Deutsche Bank recently let go of sales and trading staff in London, some former employees were able to access email for weeks after they were let go. One person sent 450 emails via remote access soliciting her clients to her next business. The issues can be massive, and these are just the breaches that we know about. Years of expansion left the bank with systems that couldn’t communicate with each other, and people weren’t being challenged.
How has COVID and the lockdown affected budgets? Has that led to easier approval?
What we’ve seen is that decision makers and IT leaders are finding it easier to get through the door, and they are starting to be heard more seriously. Cyber security has certainly gone up in terms of prioritisation. Covid has given organisations quick headaches that needed resolving. IT leaders have been put on the spot protecting data that organisations share with others. There has been an increased in the importance of security and spending, and some governance issues have been simplified, certainly in the public sector. It has been easier and quicker to get decisions made than six months ago.
The pandemic has led to great change in security budget and has increased spend.
In the private sector, the difference between a digital way of working and digital transformation. The dynamic is a fundamental shift in employee satisfaction and their engagement and productivity. To have workers at home is a massive change. Once there is digital enablement, the onboard and offboard processes haven’t been joined up properly. At least three people have left one organisation, and there is kit out there still “working” as a consequence.
In the loosening up of a budget it raises a difficult challenge. Most businesses haven’t got there yet. For most, ways of increasing security are power shell scripting and extra tooling, and the budget isn’t there as it isn’t seen as “cool”. You could probably convince a CEO with minimal understanding of technology over MFA, however.
We now have the situation where home devices are currently more “trusted” because of digital fingerprinting than office machines that haven’t been switched on for three months because of lockdown.
Another budget impact is that cash is currently king. Big plans have had to change, and process, technologies and controls are all about predictabilities. There should be no compromises on security, however.
In the public sector, there has been a loosening of the budget. The pandemic has created a shock, and anything that was being done prior to lockdown has been put on hold. Other security and e-commerce initiatives have sprung up during lockdown. A lot of the budget is being unlocked as a result of what is happening.
For companies that sit both sides of the fence, this is an opportunity to highlight risk. The business resilience piece isn’t usually factored in, and it used to be a case of work from home days to test resilience, using them as an agile opportunity to see what capacity was, and the business took the hit. For one company, this followed with the government announcing lockdown the following Monday. It helped demonstrate to the business that the advice is good advice about security. All the stuff that came about during lockdown with regard to risk management was very useful. The risks that are there because of Covid have always been there. The elevation, however, is new. 100% of staff working from home is obviously an elevated risk, as they are printing at home etc. The discussion has to be around how we get the support from technology and security if people aren’t working in the office. This is possible if IT support are included in the conversation. Covid has presented opportunities.
Previously, there were issues such as random apps on business machines. Now, it’s a case of “where did you get that machine from?”. How do you get people to comply? For example, ministers using WhatsApp and not approved messaging tools – the approved alternative has to have as little friction as the alternatives to be useful.
What kind of policies did you have in place for working from home? What were the problems?
The reality is that remote working has been around for 15 years. It is a cultural change, and is doing something and saying this is what we’ve got. Making sure that the hardware and software is up to date is essential, and enabling organisations to move in any direction that they want to. Technology should not be the blocker, as it becomes a people and process thing. It should be a case of having the right tools, and then having the right approach.
For example, signing digitally rather than printing off is helpful. IT needs to be an enabler, not a hindrance.
In the charity sector, finding that spending money is increasingly more difficult, and fundraising efforts have gone through the floor. Decisions can be made quickly, but there is no money to be spent on them. NHS charities are getting the bulk of the money at present. The digital transformation process is now very easy, but from a cost perspective it is challenging and frustrating.
With Covid, things are being done to address this, but it is a challenging fiscal environment that IT leaders are facing.
Prior to Covid, there were blockers, such as the cultural change allowing people to work from home. It has been a useful transformation. Get the people ready first, and they will give you some slack on getting the technology ready.
With forcing people to work from home, virtual presenteeism can be an issue. The cultural implications for what companies are doing for people that work for them has to be considered – why do we work as we do? It is important to take employees on this journey. If people don’t know why they are doing things, there could still be a technical danger. It isn’t simple. In bigger organisations, if you don’t know who your users are, it can be almost impossible.
One plea for cyber security in general is to simplify the language and make it more cogent for those who aren’t a cyber security audience. Sometimes, loosening budgets is because of sensationalism or increased threats, but what isn’t seen is the actual language that talks to a board level audience. The three big threats are eavesdroppers, imposters, vandals. If these can’t be managed, DDOS and ransomware become issues. Making the “house burglar-proof” can make it difficult for the wrong people. People get used to new systems, but it can’t be too clunky.
Cyber security must be viewed as a risk like any other. It’s a cultural shift that has to be overcome. If you have ever had the misfortune of being burgled, then it’s easy to see the damage. If you lose data, it can be difficult to see the issues until a later date. If you can educate boards about cyber security, they can see why it’s important. The language has to move from being around the negative side of cyber security, and to why it is good. This is what needs to be articulated to board members, and we are still a long way off this.
Cyber security sells fear and the challenge is to find positive notes, anything from cost savings to automated provision. You don’t need to be challenged in the office on a managed device, for example. There are actually hard savings to a lot of this.
User involvement and acceptance is essential. If you don’t participate users in the conversation, it isn’t going to happen – it can’t just be dictated. What is being mandated has to be made sensible.