Tesco Bank hack shows that attackers continue to follow easy money
What happens when nearly 9,000 accounts at a financial institution experience fraudulent activity and clients have nearly £2.5 million stolen?
People notice. The bank notices and shuts down activity, raising a chilling question for financial institutions: “Is this the new normal for banking in the age of cyber crime?”
As we continue to learn more about the Tesco Bank hack, we may get confirmation that this was an inside job. One misunderstood aspect of insider cyber-threats is that they often don’t come from the co-worker sitting next to you. They can come from around the world. A malicious individual, sitting thousands of miles away can gain unfettered access to a your company’s critical information with the credentials of that person sitting next to you. Insider threats are often thought of as “people.” In reality, they are all about access via credentials. To an attacker, access is king.
When it comes to access, cyber defenses are often too much like candy – a hard, crackable shell protecting a soft center. The SWIFT attacks preyed on this, taking advantage of the trust that was inherently granted to each member of the network. One stolen password or compromised endpoint became a major gateway to mass fraud. Along the way, progress has been made, but the financial industry is, largely, still too “soft.”
Following the easy money
Cybercriminals go after assets that can be easily monetized and often follow the path of least resistance. Since the major retail hacks of 2015, retailers have done a better job about shoring up their defenses. Large banks, too, have committed extensive resources to protecting their critical information and money.
Gaps still remain though, especially with smaller financial institutions and organizations that are only now coming around to thinking about security. These organizations are vulnerable and prime targets. Simply put, attacks follow the easy money. If retail gets harder to access, attackers will move to healthcare, then to big banks, then to small banks, etc. We’ll continue to learn this lesson the hard way until a major culture shift occurs across industries.
Consumer apathy and understaffed security teams
Tesco Bank has said that all account services have now returned to normal. While that’s certainly “good” news, will it placate consumers? Are we becoming too apathetic to cyber attacks, simply assuming the bank will “take care of it?”
While we may never know the true cause of the Tesco Bank attack, we can certainly agree that cyber defense is hard and insider threats will continue to plague businesses that do not take them seriously.
Corporate environments have grown into a mishmash of old and new systems, networks that span the globe, data flying around in microseconds, and uptime being the key indicator of IT “health.” When you combine this rusting, aging, morphing monster with understaffed security teams, the picture isn’t pretty. Sadly, that’s reality for a lot of institutions, especially in the financial world.
Establishing resiliency
Security spending is up, but it’s not something that banks can solve with money alone. Ultimately, arriving at “better” security starts with being more resilient to cyber compromise. Resiliency means being able to take a punch and keep going, or, in the cyber sense, have a system compromised but not lose everything. Network segmentation, compartmentalization, and access controls all help contribute to this resiliency. Prevention and detection software are also critical.
Looking forward, there’s no end in sight to cyber crime. It’s too lucrative, and there’s virtually no fear of retribution. It’s a tough problem, and I’m hoping that banks will be one of the key industries to drive cyber defense forward.
Our ranks must be filled to make sure we have enough people to fight this war, but we also must believe we can win. Far too often, teams don’t feel like they can improve their security posture, and that leads to them making fewer strides forward. It’s only through taking chances, improving our overall IT hygiene, and realizing what the risks are that we have a fighting chance. Luckily the banks have woken up, they just need to make bigger improvements faster in order to stop these kinds of attacks.