Risk and reward. Bank leaders have to consider these aspects constantly as they determine what to secure and how, and how much to spend doing so. Similarly, so do the thieves trying to get at bank assets. In many ways, the goals for security teams must not be driven by some vision of fail-proof security, but a way to make many modes of attack so difficult, costly, and risky for cyber criminals, that they move on to another approach (if not another line of work).
In making these calculations, it is interesting to compare the approaches banks have employed in establishing security around their physical assets, and that which is required to establish cyber security. The defenses employed to safeguard a bank’s physical assets will clearly vary substantially from those it employs to establish a solid cyber security position. However in spite of all these differences, it’s also common to see parallels in terms of how physical security and cyber security have evolved, and how the lessons from the physical realm can help inform cyber security strategies.
In our prior blog post “Layered Security in Banks: The Physical and Digital Parallels”, we looked at the parallels of cyber security and physical security in terms of the defenses that need to be employed. Here, we look at how many of the advancements in physical security pose lessons for our efforts in instituting strong cyber security in banks.
When Safes Were Not So Safe
In the grand span of history, it wasn’t all that long ago that banks relied on small safes to secure their high-value assets. In fact, this was the case until the middle of the nineteenth century. After the gold rush of 1849, some of the prospectors who’d struck out trying to dig up gold, put their pickaxes to work on another target—those small safes. Using those pickaxes, they were able to get the safe out of the building and someplace where they could break it open and get at the riches therein.
Over time, those small safes gave way to larger, less portable safes, but that didn’t stop robbers, who started using explosives to blast the doors off. Then by the 1920s, most banks started using heavy vaults. These were intended to withstand robbers, angry mobs, and even natural disasters. Then robbers turned to torches that could cut through steel. This approach was used in 200 bank robberies in 1924 alone.
People Using People
When key locks proved fallible, banks employed combination locks. This had the unintended consequence of putting bank staff in danger. Personnel would be kidnapped and held until they divulged the combination.
This underscores a reality that’s been true throughout the history of bank security: It is often people that pose the softest target within the bank. All of us are fallible—and even the best lock isn’t of any use if someone forgets to use it, or inadvertently leaves the key out on the counter. Plus, whether driven by greed or spite, those internal staff that knew the combinations also began to pose a threat. In today’s cyber security world, a lot of staff and executives may hold the knowledge, assets, or credentials that cyber thieves are looking for—or that they can themselves exploit.
Today, the equivalent of that safe combination can be login credentials that a spear phisher goes after to get access to a private server or network. Or a criminal can lure a privileged user to open a malicious file, and once malware makes it onto the laptop, remotely exploit the system’s network privileges to launch an attack.
Operations and Threats Getting Distributed
Over the decades, the number of fronts on which banks would have to do battle continued to grow. Beyond the main bank headquarters, increasing branch locations, storefronts, ATMs, and more all expanded the threat landscape. These distributed sites are often where criminals target their efforts. In fact, when it comes to physical bank robberies these days, the main offices—which will clearly tend to have the strongest security—are seldom targeted.
According to the FBI’s statistics, there were 4,091 bank robberies in the U.S. in 2015. Of these, only 78 occurred at a main office, with all others occurring at branch offices, stores, and other remote facilities. It is also interesting to note that 3,920 robberies occurred at the counter, while 146 were at the vault or safe.
Vulnerability of Assets in Transport
Over the years, thieves would go after the source that would offer the biggest reward and the lowest risk. Anybody who’s watched a western over the years knows it’s the stage coach carrying the money that’s most vulnerable. (Unless the stage coach driver was a star of the movie, you’d be pretty sure his days were numbered.)
Today, the equivalent of the stage coach is the digital transfer of sensitive assets over the network. When network-based attacks, such as man-in-the-middle and eavesdropping approaches, began to get more commonplace, network encryption started to become a fundamental requirement.
In fact according to a survey by the New York State Department of Financial Services, 90 percent of banks utilize encryption for any data transmitted to or from third parties. However, only 38% of the surveyed institutions use encryption for data at rest.
Where is your cyber security weakness?
As the history of banking security amply illustrates, putting all your faith in a single defense is a risky proposition. The reality is that any new defense that gets employed will not leave the bank 100 percent secure, 100 percent of the time. Once a bank eliminates one target or attack vector, criminals will start digging for that next vulnerability.
In the realm of physical security, safes got bigger and harder, ultimately leading to large vaults with walls several feet thick. But banks couldn’t stop there. Now they use motion and heat detectors, video monitoring, and more to guard against the eventuality that one defense will be circumvented.
In a similar fashion, layered defenses will continue to be required in cyber security. Particularly as network defenses continue to be circumvented, employing encryption in the modern day vaults—the databases, storage systems, and services within banks’ IT environments—will be the next line of defense that has to be erected.
If you’re interested in learning more about establishing strong, multi-layer security in your digital banking environments, be sure to visit our layered security in banking site.