Everybody likes the idea of a bank job, even if you work at a bank. Hollywood has shaped our perceptions, and there are 4000 a year in the US alone, although it’s rare anyone makes it away with anything of note.  

Three examples:  

• Northern Bank Robbery, Belfast, 2004 – £26.5 million taken in the days before Christmas. Robbers posing as officials tricked their way into the homes of workers and got access during working hours through holding families hostage. This was possibly the work of the Provisional IRA and is still unsolved. The timing was excellent, as the robbers were up against a skeleton crew.  
• Great Train Robbery, Buckinghamshire, 1963 – £2.6 million. High–value packages en route from Glasgow on a mail train. Fifteen robbers rigged the trackside signals, overpowered the conductor, and stole the packages. Well thought through.  
• Bangladesh Bank, Cyber Heist, February 2016 – Thirty-five fraudulent instructions issued via Swift by hackers, transferring close to $1 billion dollars. Five transactions were successful, thirty blocked by US Fed. $101 million transferred to Sri Lanka and the Philippines. Suspicions were raised by typos. This was aided by insiders, although it is still under investigation, and possibly a state-sponsored attack as lots of funds made their way to North Korea.  

The parallels between physical and digital are down to identity; is someone an internal member of staff or not. These things haven’t changed at all. We are all getting compromised in the same way, such as in the recent Twitter attack, which was someone offshore running a password spraying script. The Verizon Data Breach Report has a study of breaches each year, and 81% are down to weak credentials, so hackers are just logging in. Security budgets should be focused here, as this figure is up 63% from the previous year, and we are doing little to stop this.  

The Verizon report also shows that user credentials are targeted in over 90% of phishing attacks – usually, employees are doing something stupid or aren’t trained to be careful, as attacks are usually via a key logger.  

The Ponemon Institute issued a special media report on hacking. Employees going rogue is a worse hit than a hacker offshore because of the levels of access, and this needs to be stopped. There needs to be an identity-centric security approach or there is zero trust. The struggle is, therefore, security versus usability, and this needs to work across the cloud – mobile and on–premises. Security gaps are easily exploited, and are sometimes very basic, as with the Twitter hack.  

Varying levels of security need a centralised log. Deep provisioning of accounts limits orphan accounts. With the Great Train Robbery, it was a separate system, and the signals were compromised first. A more modern example, Target, had the HVAC systems compromised first – the single pane of glass.  

Preparedness isn’t necessarily permanently high. An adaptive and changed security posture is necessary, with multi-factor authentication (MFA). This shows up security gaps. Users want frictionless experiences of technology, such as those provided by Apple, and geo-location can be useful. Smart or adaptive MFA can decide when users should be challenged, and potentially help us to move to a passwordless future. But we are not quite there yet.  

Automated lifecycle management – this is the last thing people think to do. It allows centralised policies to be implemented automatically, with no need for human intervention. When someone leaves an organisation, they need to be instantly de-provisioned as an insider breach is three times more damaging than one from outside. When Deutsche Bank recently let go of sales and trading staff in London, some former employees were able to access email for weeks after they were let go. One person sent 450 emails via remote access soliciting her clients to her next business. The issues can be massive, and these are just the breaches that we know about. Years of expansion left the bank with systems that couldn’t communicate with each other, and people weren’t being challenged.  

Q&A 

How has COVID-19 and the lockdown affected budgets? Has that led to easier approval?

What we’ve seen is that decision–makers and IT leaders are finding it easier to get through the door, and they are starting to be taken more seriously. Cybersecurity has certainly gone up in terms of prioritisation. COVID-19 has given organisations quick headaches that needed resolving. IT leaders have been put on the spot protecting data that organisations share with others. There has been an increase in the importance of security and spending, and some governance issues have been simplified, certainly in the public sector. It has been easier and quicker to get decisions made than six months ago.  

The pandemic has led to a great change in the security budget and has increased spending.  

In the private sector, the difference between a digital way of working and digital transformation is that the dynamic is a fundamental shift in employee satisfaction, engagement, and productivity. To have workers at home is a massive change. Once there is digital enablement, the onboard and offboard processes haven’t been joined up properly. At least three people have left one organisation, and there is kit out there still “working” as a consequence.  

In the loosening up of a budget, it raises a difficult challenge. Most businesses haven’t got there yet. For most, ways of increasing security are power shell scripting and extra tooling, and the budget isn’t there as it isn’t seen as “cool”. You could probably convince a CEO with minimal understanding of technology over MFA, however.  

We now have a situation where home devices are currently more “trusted” because of digital fingerprinting that office machines that haven’t been switched on for three months don’t have, because of lockdown.  

Another budget impact is that cash is currently king. Big plans have had to change, and process, technologies and controls are all about predictabilities. There should be no compromises on security, however.  

In the public sector, there has been a loosening of the budget. The pandemic has created a shock, and anything that was being done before lockdown has been put on hold. Other securities and e-commerce initiatives have sprung up during lockdown. A lot of the budget is being unlocked as a result of what is happening.  

For companies that sit both sides of the fence, this is an opportunity to highlight risk. The business resilience piece isn’t usually factored in, and it used to be a case of work from home days to test resilience, using them as an agile opportunity to see what capacity was, and the business took the hit. For one company, this followed with the government announcing lockdown the following Monday. It helped demonstrate to the business that the advice is good security advice. All the information that came about during lockdown with regards to risk management was very useful. The risks that are there because of COVID-19 have always been there. The elevation, however, is new. 100% of staff working from home is an elevated risk, as they are printing at home etc. The discussion has to be around how we get support from technology and security if people aren’t working in the office. This is possible if IT support is included in the conversation. COVID-19 has presented opportunities.  

Previously, there were issues such as random apps on business machines. Now, it’s a case of “where did you get that machine from?”. How do you get people to comply? For example, ministers using WhatsApp and not approved messaging tools – the approved alternative has to have as little friction as the alternatives to be useful.  

What kind of policies did you have in place for working from home? What were the problems?  

The reality is that remote working has been around for 15 years. It is a cultural change and is doing something and saying this is what we’ve got. Making sure that the hardware and software are up to date is essential and enabling organisations to move in any direction that they want to. Technology should not be the blocker, as it becomes a people and process thing. It should be a case of having the right tools and then having the right approach.  

For example, signing digitally rather than printing off is helpful. IT needs to be an enabler, not a hindrance.  

In the charity sector, finding that spending money is increasingly more difficult, and fundraising efforts have gone through the floor. Decisions can be made quickly, but there is no money to be spent on them. NHS charities are getting the bulk of the money at present. The digital transformation process is now very easy, but from a cost perspective, it is challenging and frustrating.  

With COVID-19, things are being done to address this, but it is a challenging fiscal environment that IT leaders are facing.  

Before COVID-19, there were blockers, such as the cultural change allowing people to work from home. It has been a useful transformation. Get the people ready first, and they will give you some slack on getting the technology ready.  

With forcing people to work from home, virtual presenteeism can be an issue. The cultural implications for what companies are doing for people that work for them have to be considered – why do we work as we do? It is important to take employees on this journey. If people don’t know why they are doing things, there could still be a technical danger. It isn’t simple. In bigger organisations, if you don’t know who your users are, it can be almost impossible.  

One plea for cybersecurity, in general, is to simplify the language and make it more cogent for those who aren’t a cybersecurity audience. Sometimes, loosening budgets is because of sensationalism or increased threats, but what isn’t seen is the actual language that talks to a board–level audience. The three big threats are eavesdroppers, imposters, vandals. If these can’t be managed, DDOS and ransomware become issues. Making the “house burglar–proof” can make it difficult for the wrong people. People get used to new systems, but it can’t be too clunky.  

Cybersecurity must be viewed as a risk like any other. It’s a cultural shift that has to be overcome. If you have ever had the misfortune of being burgled, then it’s easy to see the damage. If you lose data, it can be difficult to see the issues until a later date. If you can educate boards about cybersecurity, they can see why it’s important. The language has to move from being around the negative side of cybersecurity, and to why it is good. This is what needs to be articulated to board members, and we are still a long way off this.  

Cybersecurity sells fear and the challenge is to find positive notes, anything from cost savings to automated provision. You don’t need to be challenged in the office on a managed device, for example. There are hard savings to a lot of this.  

User involvement and acceptance is essential. If you don’t participate users in the conversation, it isn’t going to happen – it can’t just be dictated. What is being mandated has to be made sensible.