The Carbanak attack shows the fundamental cyber security flaw in the banking sector is not technology but people and processes.
This is why even major banks are still falling victim to fairly basic models of cyber attack, such as spear phishing, which rely on poor business practices and poorly trained employees.
The fact that the Carbanak attackers were able to dupe so many employees at so many banks into opening malicious email documents reveals a lack of basic staff training in those banks.
In Britain, banks have known for years that cyber security expertise cannot be closeted away in the IT department, but must be spread across the rank and file; any employee who is not properly trained – from administrative staff to bank managers – is a potential weak link in the bank’s security chain.
Employees should not just be trained to spot suspect emails, but also how to deal with them. Most organisations run fire drills for their staff and, similarly, banks should run cyber security drills simulating phishing attacks – so all employees know how to respond in a real-world scenario.
Need for employee education
Successful businesses do not regard physical security as exclusively a managerial concern, but as something that must be taught to all employees. In a connected world, the same is true of cyber security.
In Britain, rival banks now exchange confidential cyber security information in the spirit of collaboration, building a shared pool of up-to-date knowledge that helps the sector collectively learn from each new incident, so the same attack is never successful twice in a row. Yet the fact the Carbanak gang was able to target banks using the same methods over several years – without anyone blowing the whistle – indicates that international banks are still failing to share information on security breaches. That is why the same cyber-gang was able to repeatedly and successfully use the same attack against multiple banks.
Even worse, the persistence of bad cyber security practices is driving banks to try to protect badly designed systems by hiding them from view. Many banks try to prevent attackers discovering what internal programmes they use; yet it shouldn’t matter if outsiders know what software a bank uses for its internal systems, if that software is secured properly in the first place.
Banks must learn there is no security in secrecy and that, in a connected world, cyber security knowledge can no longer be enclosed in one department or in one bank.
John Colley is professional head at (ISC)2