Inside Job: How Banks Are Getting Hacked And What They Can Do

The same engines or machines that generate spam – bots – are now sending those bots into banks to scour for ways inside the vault. Spam, the obnoxious stuff that everyone expects to be filtered out by “junk mail” filters, has become the Trojan horse of choice among cyber criminals. The BBC recently conducted a research project looking at the internet address blocks used by 12 of Britain’s most well-known and well-established financial institutions. In the course of their research, they discovered that in 2013 alone, there were more than 20 incidents within British banking networks involving malicious activity, despite banks having some of the strongest defenses against cyber-attacks (Source: http://www.bbc.co.uk/news/business-25336448).

How Cyber Crooks are Cracking the Vault

Inside sources say that banking employee machines are routinely infected by malware. Multiple sources indicate that viruses, spam and other malicious messages regularly appear on banks’ corporate networks, most likely as a result of an employee or contractor encountering a bogus and booby-trapped email attachment, visiting an infected site, and (most likely) being enrolled in a “botnet” (a dragnet of hijacked computers used to mine a corporation’s computer systems). OpenDNS recently gathered statistics that suggest as many as 900 botnets were active in late 2013. The damage that can be wreaked through botnet breaches has many experts deeply concerned given that, “… as banks develop their controls in line with new criminal methodologies, new techniques will emerge”.

What Can Banks Do?

Banks are at the center of data security concerns. The information they gather intersects legal boundaries, intellectual property, and government regulations. To keep abreast of every potential security threat or virus is a virtually insurmountable feat, but, through data encryption – at rest and in the cloud – banking institutions could create a stronger security program than they may be currently using.

Studies show that institutions from finance to healthcare have high amounts of BYOD usage and often lack sufficiently strident data security policies for accessing data outside of corporate networks. Government-grade (FIPS 140-2 validated) data encryption solutions are recommended for all devices used to access and store data, be they BYOD (laptops, smartphones, tablets), as well as devices managed through an enterprise’s network (i.e., desktop computers). If the worst-case scenario should unfold, and a portable device carrying personally identifiable information (PII) is lost or stolen, data encryption via SEDs, for example, protects the encryption key by deleting it each time it is accessed, not storing it in the OS or network, and encrypting the encryption key independently – whether or not the company network is able to access it.