Whether people claim that 2015 was the year of the data breach or not, it’s clear that we saw major data breaches in financial institutions through external attacks, insider threats or exploiting serious vulnerabilities in systems. Many incidents were a lack of IT security basics, such as disabling default passwords and accounts or simple implementation errors.
There were a number of incidents in financial institutions in 2015 that showcased how dangerous both external hackers and motivated or careless insiders can be. As Fahmida Rashid says in her article on Innovative and Damaging Hacks in 2015, people intent on stealing data and money are becoming more sophisticated in their attacks. Rather than just targeting consumer information, thieves are going after systems or data that are more lucrative. The Carbanak advanced persistent threat (APT) attack against financial institutions around the world was a good example of targeting banks’ internal systems and operations that may have caused as much as $1 billion in losses.
There were also increases in phishing campaigns where attackers sent email that appeared to be legitimate asking for bank account information or to validate a transaction. If the recipient blindly clicked on a link or provided information without validating authenticity, they could be out of a lot of money.
While external attackers still pose the biggest threat to financial organizations, 2015 showed insiders can cause damage as well. Earlier this year, a former employee of Morgan Stanley pleaded guilty to stealing confidential data from more than 700,000 customer accounts while he was interviewing for a new job with two competitors. External attackers target insiders who already have access to sensitive data. Encryption, dynamic security policies that travel with data, and robust multifactor authentication controls are some of the defenses financial institutions should consider to ensure that unauthorized individuals can’t read anything they shouldn’t be allowed to see.
It’s clear from looking at the attacks and breaches in 2015 that all the perimeter-based IT security implemented at financial organizations is not stopping the problem. Implementing the basics of security best practices is the first place to start. Next is to protect what people want to steal, data. Having access to sensitive data is what criminals want so they can sell it or use it to steal big from financial institutions and their customers.
Photo credit elhombredenegro