However, there may be no accomplices at all if we are talking about the exploitation of technical vulnerabilities. But if business owners are serious about protecting against different external threats, then attackers have no choice but to look for ways to collude with target company employees. In such situations, Elliot Alderson from “Mr. Robot” always comes to my mind, who says: It is often easier to hack\trick\bribe people; you just have more opportunities here. Elliot Alderson also says: However, numerous other scenarios are possible when the villains can do something bad without accomplices inside the company. Security often depends on the maturity of the business processes.
Data breaches in the banking sector – the negligence of employees or evil intents
The person is prone to making operational mistakes. Any rash action by an employee that violates corporate policies and information security rules may result in data leaks, ransomware attacks, and other troubles. So, it is important to build business processes so that employees do not even have a chance to make a mistake. Situations in which people purposefully harm an organization or customers are exceptional, but it takes a lot of effort to prevent them. Let us imagine a situation when an employee has full access to customer data. He has a lot of work and does not have time to complete one important report. So, he wants to work from his home computer on the weekend. He does not realize that he can ask for remote access. Instead, he will try to send the necessary client data to his personal email. This is a classic example of not just negligence but a zeal for work that does not fit well with corporate security policies.
Most dangerous incidents that lead to maximum financial losses for banks
If you read the news for the current year, most of the data breaches that were advertised as banking actually originated from online retailers. If you study what set of fields these public leaks consist of, you always conclude that this data set originates from an online store. As to bank statements, yes, really, such type of fraud (if we use the legal terminology) or service (darknet terminology) exists on the black market. Something may go wrong, and data can be lost. Bank security officers should regularly watch so that their data does not appear there. Fundamentally, this is strongly related to the corporate culture in each specific bank and whether employees understand the illegality of selling data and to whom this data belongs. You should always try to recruit only the right people to the bank. You may have work disputes, but at the same time, each of the employees must understand that customers are the main value. Workers should never encroach on sacred things like customer data. The security department should strictly limit any external influence and access to data.
Why do regulators monitor PCI DSS compliance but rarely fine banks for data breaches
I would not say that the regulators do not pay attention to this. Sometimes, we can find news and read about big cases. If we are talking about card data, even if there is a slight suspicion of a leak, both Visa and MasterCard always pay serious attention to this. The bank that was breached will definitely have hard times. However, it is important to note that data breaches are not always easy to prove or refute. The organization must have the appropriate equipment to reliably determine the fact of a data breach. Regulators pay enough attention to leaks, but these processes remain in the shadow because the proceedings conducted after such incidents are complex and lengthy. The conclusions of these proceedings, unfortunately, are probabilistic; often, it is impossible to punish the bank since it followed all the rules.
Investing in information security
When we talk about information security and budgeting, we somehow estimate the cost of countering risks. If this cost is less than the value of the assessed risk, then everything is OK. In this case, we can call it an investment since we are investing in something that prevents risks from materializing. However, often, budget allocating happens with thoughts like: “Oh, it would be very good to have this solution.” People do not really understand why they need it, what bad scenarios the software will prevent, who will work with it, etc. In my opinion, this shows the unprofessionalism of managers who work in information security. At the same time, I think that this practice is coming to naught, professionalism in the field is growing. I hope that in the near future, everyone will understand that there are many risks and there are different types of investments that help to prevent risks. The payback period depends on the class of solutions and the threats that are opposed. In the banking sector, in the case of anti-APT solutions (to counter targeted attacks), the payback period is usually a year or two. For DLP solutions, the payback period can be shorter, maybe even several months, depending on how correctly the system is configured.