Beware: A New Approach To Cyber Security That's Not Safe For Coders

Hi there! So this post will be the first in a series that focuses on an interdisciplinary approach to cyber security- with an emphasis on finance.  The series of posts will address the growing evidence that security can only be achieved through a thorough, well-rounded understanding of all the issues that play a role in cyber security.  Thanks for reading, and I hope you enjoy!              

Information Security, Financial Institutions, and Organized Crime, oh my!  

An interesting article from earlier this week, titled “Organized Crime’s New Drug: Web Attacks. On Financial Firms.” talked about the increasing risk that cyber security threats pose to financial institutions.

I found this article to be very insightful about the importance of security in the financial world.  Considering the potential implications of an attack on financial institutions, it seems odd that cyber security discussions are not a more prevalent trend in financial discussions.  According to one U.S. Government study, while only 12% of data breach incidents involved the financial sector, over 36% of records compromised by such incidents were financial records.  Although the number of attacks to financial institutions may not reflect the serious threat to financial institutions, over 1/3 of the data compromised by security breaches is from the financial sector.  Financial information is some of the most valuable stored on digital systems, which makes it a prime target for attack.  While there is some literature out there about financial cyber security, most of the major financial discussions do not delve deeply into the security issues of the 21st century.  However, this article touches on some of the overarching concerns that are developing in the financial sector. 

While security discussions are still relatively minimal, even less prevalent is the discussion of organized crime in the financial world, another issue this article addresses. According to the author, these financial institutions aren’t just being targeted by computer savvy hackers, but also by organized criminal elements.  Edward Powers, a principal at Deloitte & Touche, recently spoke to the Wall Street Technology Association about how “cybercrime is now replacing drug trafficking as a primary source of revenue” for organized crime. With attacks becoming more organized and targeted at big financial firms, a single successful attack could have extremely severe consequences.

While reading this article I realized that organized crime is not something that I think of as a serious threat to financial institutions-there is so little discussion of it in the financial news that it was something I had regarded as an outdated concern of the past.  However, this article brought up a point that organized crime is still an issue today.  What is most concerning is the potential of serious damage done by a combination organized criminals who have the capability and know-how to cause serious damage and talented hackers who can make those plans happen. While organized crime used to engage in small scale attacks, the digital age gives criminals a much larger platform to execute their plans from and the potential damage done by such an attack has increased dramatically. Another insightful but frightening point of this article is that the hackers carrying out these attacks are not only looking for systems vulnerabilities, but are also using “social engineering” of the people close to the information to find what they’re looking for.  Using “spear-phishing” techniques that pull personal data off the web, these hackers are collecting identifying information about company personnel that gives them access to secure financial information.  What is most frightening about the prevalence of social engineering is that no matter how technically savvy a system may be, without proper use and safeguarding by the people who maintain the system, any security system is useless.  The fact that social engineering has been proven to work in many situations demonstrates that there are often situations where the people operating these systems either don’t have adequate knowledge of the severity of security issues or they’re not being careful enough with the information with which they’ve been entrusted.  Either way, it is unsettling to think that we do not know the people behind these systems, especially they have access to so much information about us.

The article brings up the issue that as “cybercriminals are getting quite specific about the data and the infrastructure they want to capture or control,” security experts see the increasing need to understand their mentality and preempt their attacks.  Even if these experts could perfectly predict the intents of the hackers, the critical information these financial institutions have will never be completely safe.  What criminals once accomplished through robbing banks, they now do over the web.  One of the most poignant lines of the article sums up the major issue of digitalizing financial institutions: criminals are now “targeting organizations and trying to exploit this new spectrum of vulnerabilities” in order to gain access to our most private financial information.