This week, Emma Dunkley of the Financial Times published an amusingly titled yet insightful piece on the recent cyberattacks levelled at two major high street banks. Not to be misled by the lighthearted headline of the article, her account provided another chilling glimpse into the reality of what major banks and consumer organisations now face on almost a daily basis when it comes to protecting their data.
“The recent attacks on Lloyd’s Banking Group and Tesco Bank revealed the evolving techniques used by cybercriminals to expose financial institutions’ vulnerabilities”, she wrote, as she sought to explain the wider implications of what had happened. “The threat of cyber assaults is increasing. As banks roll out more digital services, and as more customers use technology to handle their money, cyber criminals have a greater number of entry points through which to access systems and customer data.”
On January 11th, Lloyds was hit by what is commonly known as a ‘denial of service’ attack, where hackers hijacked several of the bank’s servers and flooded their website with large amounts of traffic designed to cripple online services. Upon discovering that they could not gain access to online banking, many customers took to social media to vent their frustration, as Lloyds deployed a series of counter-measures designed to isolate the attacks and limit the damage caused.
Although large banks are typically targeted by denial of service attacks around once a month, the Lloyds incident was particularly severe – with this attack lasting far longer than the usual few hours.
“Denial of service attacks are happening 24/7 globally,” says Philip Halford, a senior adviser at financial services consultancy Bovill. “There are multiple perpetrators, often targeting the same trophy targets. They share the common objective to breach a control system sufficiently to allow or deny legitimate users access to it. The motivation can vary from criminal intent to mere bragging rights. The effect, however, can be crippling for organisations.”
Compared to the Tesco Bank fraud that took place in November last year, the Lloyds attack was relatively mild, with no customer data or money having been stolen. It is reported that the hackers behind the attack demanded a £75,000 bitcoin ransom, although it is unclear whether Lloyds bowed to this request.
Tesco Bank was not so lucky. Last year’s assault led to nearly £2.5m worth of payouts to 9000 customers who had money stolen by cyber criminals. This time, the data breach was facilitated by a weakness in one of Tesco’s mobile banking apps, which was exploited to access personal information connected to thousands of current and savings accounts. Thankfully Tesco Bank acted quickly to reimburse customers, but the incident still represents a significant and worrying reality of the risks posed by hackers.
What the attacks on Lloyds & Tesco Bank tell us about how online crime is evolving
Over the past twelve months, news of major cyberattacks has become increasingly commonplace – with 2016 seeing more sophisticated assaults than ever before.
Cyber crime is on the rise, with attackers developing increasingly sophisticated hacking techniques to break through organisations’ defences. It is one of the biggest risks to global banking, threatening to cripple lenders and defraud customers.
As the Financial Times rightfully put it, “the stakes are high”. When we consider the reputation of the UK banking sector amongst its customers, trust is a critical factor, and information security plays a huge role in this. Not only must banks consider their reputation in this matter, but also the potentially significant fines and sanctions imposed by financial regulators where institutions are seen to have failed in their obligation to protect customer information and assets.
Under the UK Data Protection Act, banks can currently be hit with a penalty of up to £500,000, but an EU directive that comes into force in May 2018 will mean companies can be fined up to 4 per cent of their global revenues for serious data breaches.
As we move into an increasingly tech-dependent world, banks and other organisations alike have an ongoing responsibility to stay ahead of the threats posed by cybercriminals – and as we so often hear, this isn’t just down to software.
Education also plays a huge part in cyber resilience, and equipping staff with the right knowledge can mitigate risk on a truly massive scale. We know that as much as 90% of all cyberattacks are mounted as a direct result of the unwitting action of a member of staff – whether that’s clicking on a phishing email, or falling foul of social engineering. Never before has it been so important to place cyber resilience at the top of your business agenda.
Interested in better understanding the implications of increased cybercrime for your business? Join our free webinar in partnership with AXELOS GBP and featuring Vicki Gavin of the Economist Group, as we explore the most effective ways to safeguard against cyberattacks. Join the webinar and explore more here.
For the full original FT article, click here.
Why None of us are Above Cyber Attacks: How Hackers Broke into John Podesta and Colin Powell’s Gmail Accounts
It’s fair to say that when it comes to high profile cyber security failures, the past twelve months have seen more than their fair share.
As if the loss of customer data in TalkTalk-gate wasn’t enough, 2016 brought fresh attacks on the SWIFT (Society for Worldwide Interbank Financial Telecommunication) network, costing a number of banks both their reputations and tens of millions in losses. But why do security breaches keep befalling global giants who pump millions into their cyber security initiatives?
Organisations or individuals?
When reports of cyber-attacks hit the headlines, the press are quick to condemn the overarching failings of the organisations in question. Given that global consumer businesses are in possession of vast amounts of private customer data, it’s little wonder that the kneejerk reaction to security failures on this scale is anger. But with user error often relegated to a single line in damming press pieces, it’s easy to miss a common trend across many of these cases: that initial access to an otherwise secure system was granted by the accidental opening of an email, or a click on a seemingly innocuous link by somebody within the organisation.
If we’re looking for evidence in support of this statement, all we need do is delve a little deeper into the mountain of reports into these instances that are available on the web. In fact, one report published earlier this year in the Federal Times noted that as much as fifty percent of all cyber breaches and data leaks can be attributed to human error.
In short, in this era of increasingly sophisticated cyber threats, a critical truth remains: your firewall can be as sophisticated as you like, but it means nothing if your people aren’t armed with the right knowledge.
Falling foul of cybercriminals can happen to anyone
In spite of the usual dialogue of blame that implies a certain ‘stupidity’ on the part of the staff in question, the reality of human-error data breaches is that they happen often enough to highlight a genuine problem with education around information security. There was perhaps a time when malicious phishing emails were laughably obvious, but with the ever-increasing sophistication of available technology, and smarter social engineering, falling foul of a cyber-attack can quite literally happen to anyone.
Never has this been illustrated more than by the recent email leaks from senior officials in Hillary Clinton’s US presidential election campaign.
Case in point: How hackers infiltrated the Clinton Clan
Back in March, John Podesta – former chief of staff to the Whitehouse and Chairman of the 2016 Clinton campaign – received an email that appeared to come from Google. It wasn’t until some months later, in October of this year, when hundreds of Podesta’s private personal emails began to appear on WikiLeaks that officials were alerted to any data breach. Rather than a legitimate Google security alert, what Podesta had received was a well-disguised phishing message designed to dupe him into giving up the password to his Gmail account.
Of course when news of the hack broke, people were quick to point the finger at Russia. With mounting international tensions, and the profile of notorious hacking group Fancy Bears continuing to rise, such accusations were hardly unexpected.
The subsequent investigation into exactly where this particular email came from claimed to have traced the malicious URL contained within it to a single account on the popular URL shortening service, Bitly. Using a Bitly short-link, hackers concealed a longer link which, to the untrained eye, looked very much like a legitimate Google URL. Within this was a 30-character string that contained the encoded Gmail address of John Podesta.
The Bitly account used in this attack was found to be the very same one responsible for generating malicious short links used in a significant number of other hacks on members of the National Democratic Committee (including one on former Secretary of State, Colin Powell, where his private emails later appeared on the website DC Leaks.) Investigators at cyber firm SecureWorks also claimed to have been able to trace ownership of the Bitly to a domain under the control of Fancy Bears when they discovered that privacy settings had not been activated on the account.
Using Bitly allowed third parties to see their entire campaign including all their targets— something you’d want to keep secret
– Tom Finney, Researcher at SecureWorks
“It’s unclear why the hackers used the encoded strings, which effectively reveal their targets to anyone,” said Kyle Ehmke, a threat intelligence researcher at security firm ThreatConnect. “[Perhaps] the strings might help them keep track of or better organize their operations, tailor credential harvesting pages to specific victims, monitor the effectiveness of their operations, or diffuse their operations against various targets across several URLs to facilitate continuity should one of the URLs be discovered.”
As it stands, investigators have drawn connections between nearly 9000 malicious phishing emails used to target 4000 individuals across the US and Europe – all seemingly originating from Fancy Bears. The Podesta hack was not the first time the Bears have made the headlines; their connections to the Kremlin have remained the subject of speculation for some time following their meteoric rise to media fame when they leaked documents from WADA (The World Anti-Doping Agency) incriminating American athletes. Whether there is any truth in claims of suspected Russian ties remains to be seen – but if the authorities are in possession of any hard evidence, such information is unsurprisingly not in the public domain.
The use of popular link shortening services such as Bitly or Tinyurl [that left an uncharacteristic trail] might have a simple explanation – the hackers probably wanted to make sure their phishing attempts went past their targets’ spam filters
– Thomas Rid, King’s College London
What we do know is that in Podesta’s case, something as simple as apparently legitimate account security email has led even some of the most tech-savvy figures down the rabbit hole.
Phishing emails that even evaded Clinton’s IT team
Perhaps the most surprising thing of all in this account is the fact that John Podesta did actually report the email to his IT officers as suspicious – and was reassured that the request to reset is password was indeed ‘legitimate’:
Clearly, Podesta had some awareness of phishing emails as a means to obtaining sensitive private data, but was ultimately still duped into giving hackers access to his account and surrendering sensitive private information to criminals.
Comment from Bitly
When avid tech-reporters Motherboard published their original series of articles covering the Clinton campaign hacks, they approached Bitly directly for comment. Their official reply, amongst stating that they ‘can only do so much’ when it comes to preventing use of their services for unlawful or malicious purposes, read as follows:
“The links and accounts related to this situation were blocked as soon as we were informed. This is not an exploit of Bitly, but an unfortunate exploit of Internet users through social engineering. It serves as a reminder that even the savviest, most sceptical users can be vulnerable to opening unsolicited emails.”
– Bitly, speaking to Motherboard
Lessons learnt – how do businesses protect themselves against cybercrime?
Irrespective of their size or stature, no firm wants to fall foul of cybercriminals. The reality is that the ‘wolf-in-sheep’s-clothing’ analogy runs deep – within an organisation as high-profile as the Clinton camp, even seasoned IT security professionals were tricked into believing that a phishing email sent to one of their most prominent officials was legitimate.
As the tech world continues to advance, there will always be instances where data breaches and malicious attacks mounted on organisations by cybercriminals will be effective. This said, with an estimated fifty-percent of cyber security breaches attributed to human error, businesses need to view the education of their entire workforce as a critical line in the defence against hackers and cybercrime.
“We are all vulnerable, regardless of role or seniority”, says Mark Logsden, former Head of Cyber Security at AXELOS Global Best Practice. “The most effective way of managing this risk is via a good cyber awareness programme that promotes good cyber behaviours and teaches all staff about their role in maintaining the cyber resilience of the company.”
Still want more? Check out these other interesting resources
The fantastic original Motherboard article on the Podesta hack
Another piece on how Clinton’s IT team were duped by hackers
Interactive visualisation of the world’s biggest data breaches by sector/fault
Cyber Security Training from Unicorn in partnership with AXELOS GBP
Last week the BBC reported that last year saw nearly six million instances of cyber crime in England and Wales.
According to the Office for National Statistics (ONS), cyber is fast-becoming the most common type of crime – with 3.8 million fraud offences and 2 million instances of computer misuse recorded between March 2015 and 2016. It also noted that the majority of these were linked to some kind of bank account fraud, meaning that as ever banks remain at the forefront of issues of cyber security.
“In today’s climate, 70% of all fraud is cyber-related”, said Arancha Sanchez (CISO, Santander) at last month’s BBA Annual Retail Banking conference, where she expressed a belief that banks have a clear duty not only to protect themselves, but also to educate and assist their customer base. “Although at present, only half of firms consider cyber security to be a priority for them.”
“The widespread use of computers, laptops and smart-phones to facilitate fraud has changed [the way we perceive crime]”, said Danny Shaw, BBC home affairs correspondent. “[The ONS found] we are more likely to be a victim of fraud than any other type of crime, with one in 10 adults defrauded in the past 12 months.”
“Fraud and cyber offences are not a new threat and the government has been working to get ahead of the game, committing to spend £1.9bn on cybersecurity and cybercrime over the next five years.” –Policing Minister Brandon Lewis
Indeed, of the reported two million instances of computer misuse, 1.4million involved the device in question becoming infected with a malicious virus, with the remainder related to “unauthorised access to personal information” – such as hacking. As technology continues to advance, and banks seek to provide seamless, cross-platform solutions to their customer base, it is crucial that cyber awareness is given adequate attention. “Consumers need confidence in banks, and banks need confidence in customers, said Donald Toon, Director of Economic Crime Command NCA; “Cyber Security is about Tech, Processes AND People.”
“Boards need to be able to heavily tasked with promoting a culture of cyber confidence. There isn’t a silver bullet when it comes to cyber security; and it’s a Chief Exec problem not just an IT one.” –Arancha Sanchez, CISO, Santander
Just last week we brought you news of a second high-profile cyber-attack on a major UK bank. With the Financial Services sector still reeling from the $81 million cyber heist involving Bank Bangladesh earlier this year, the second attack highlighted the growing need for increased cyber security across the industry.
With news that the Bank of England recently issued a request to all UK banks to redouble their security efforts when it came to all computers connected to the SWIFT messaging network, it’s obvious that cyber-crime is a very real threat to institutions across the board. “What we’re seeing is the very clear need for businesses to realise the potential cost of not only software security, but also cyber awareness among staff”, says Unicorn Training’s own Alex Prodromou. “With the increased sophistication of cyber-crime, more often than not hackers are able to access and wreak havoc across an organisation, simply because of the unwitting action of a member of staff who may have clicked on a phishing link, or opened an unsecured attachment.”
“Contrary to what we often read in the news, this isn’t anything to do with stupidity or negligence”, he continues; “but rather that organisations don’t always see the value in adopting a bottom-up approach, and educating staff about the potential threat posed by cyber-criminals.”
Indeed, the Bank of England’s alleged warning to the UK banks it regulates constitutes the first of its kind – and is the first time in history that a bank in a major economy has issued an alert of this kind.
It should be noted that The bank of England – one of the central G10 banks responsible for co-overseeing Brussels-based SWIFT – had no comment. However, it is undeniable that the Bangladesh theft has sent shockwaves through the established money transfer service for both commercial and central banks across the globe.
One thing is for sure – cyber resilience remains one hot topic for the industry, and institutions of all sizes ought to be taking concrete steps to safeguard their interests. Talk to us today about RESILIA, powered by AXELOS, and learn how Unicorn can help safeguard your business against cyber-crime.
It’s been another eventful few months for high profile cybercrime. In the wake of last year’s very public TalkTalk hack, SWIFT (Society for Worldwide Interbank Financial Telecommunication) has this year reported not one, but two instances of devastating cyber-attacks that have targeted high profile organisations in the commercial banking sector.
Back in February, a cyber-attack aimed at stealing cash from Bangladesh’s central bank at New York’s Federal Reserve was reported to have cost the organisation in the region of $81m (or £56m). In the investigation that followed, the extent of this attack was largely attributed to the central bank network’s lack of adequate security controls – including the fact that they had no functioning firewall, and that they were connecting to global financial networks using second-hand $10 internet routers.
Given the circumstances, it is incredibly fortunate that the bank’s total loss was in the region of millions; rather than the 1 billion dollars that the cyber-theives were allegedly out to steal. It was later revealed that a simple spelling mistake in one of the transfer orders was what had alerted staff to the attack, and stopped much of the money going astray.
However, to think that cyber criminals are only out to target financial institutions whose systems are clearly substandard would be a grave misconception. Last week, SWIFT reported a second attack that targeted a commercial bank in a similar manner. Although SWIFT and the wider media has not as yet revealed the organisation question – or indeed if any money has actually been taken – it did report that the techniques employed in this attack bore a remarkable resemblance to those used in the February attack on the Bangladesh central bank. What this shows us is that these attacks are not isolated in nature, but rather what SWIFT called, “part of a wider and highly adaptive campaign targeting banks”, that exhibit a, “deep and sophisticated knowledge of specific operational controls.”
“We are all vulnerable, regardless of role or seniority. An effective way of managing this risk is via a good cyber awareness programme that promotes good cyber behaviours and teaches all staff about their role in maintaining the cyber resilience of the company.”
–Mark Logsdon, AXELOS Cyber Security
As the growing prevalence of cyber-attacks such as these proves, cyber resilience rightly remains a hot topic for financial institutions. Mark Logsdon from our Cyber Security training partner, AXELOS, says: “The details of these high profile attacks remain subject to speculation, however they appear to be very similar to that carried out on Sumitomo Mitsui Banking Corporation (SMBC) in London back in 2005. In that attack criminals sought to create a series of SWIFT money transfer orders with an estimated value of £220M. Similar to these recent attacks they were only foiled by a combination of a vigilant member of staff and a simple error in the transfer order.
“An effective and consistent controls environment is key to preventing cyber-attacks”, he continues, “including those that are far less sophisticated than this one. This includes technology, process and critically people based controls. We know that over 90% of all cyber-attacks start with the unwitting action of a member of staff, i.e. they click on a link, open up an attachment contained in an email or innocently provide a critical piece of information to an attacker. The impact on the company or to us individually can be devastating.”
AXELOS is a joint venture between the UK Government (Cabinet Office) and Capita plc. They own and develop global best practice, including ITIL, Prince2 and RESILIA, used by millions of users in thousands of organisations around the world. Find out how Unicorn can help safeguard your entire organisation with our RESILIA cyber awareness learning here – brought to you through our partnership with AXELOS.
Alternatively, read more about Cyber Crime at the BBC website here.
Unicorn and AXELOS RESILIA working together to improve workforce behaviours through innovative cyber awareness learning
AXELOS has launched a comprehensive new suite of cyber awareness learning, in partnership with Unicorn, to meet the challenging demands all organisations face in managing their vulnerabilities to growing cyber risks.
Nick Wilding, Head of Cyber Resilience at AXELOS Global Best Practice, has laid down the gauntlet to firms in their fight against cyber crime, insisting, “Whatever you’re doing to improve cyber resilience and raising awareness, skills and insight amongst all your staff, you can never do enough.”
Upwards of 90% of successful security breaches are regularly being attributed to human error, regardless of a person’s role or responsibility. As organisations regularly evolve and adapt their technical security controls throughout the year so they need to be providing engaging, regular and easy to understand learning that will help to embed and sustain more resilient behaviours with all their staff.
AXELOS is a joint venture between the UK Government and Capita plc.
Its RESILIA cyber resilience best practice portfolio puts staff at the heart of an organisation’s cyber resilience strategy and gives companies the confidence to recognise, respond to and recover from cyber attacks effectively. The portfolio includes certified training, all staff awareness learning, leadership development and a maturity assessment tool. The RESILIA cyber awareness learning modules are hosted on Unicorn’s award-winning learning and development platform, SkillsServe.
Typically if companies have carried out any information security awareness training, staff have been put through an uninspiring annual eLearning course, which has little or no impact on embedding good cyber resilient behaviours within the workforce. But Nick believes organisations cannot continue to rely on this ‘compliance-based’ approach to cyber awareness if they are going to successfully manage their ever-changing cyber risks.
He said: “Every individual within an organisation can be a target. No one is immune so everyone has a critical role to play in protecting their organisations most valuable and sensitive information.
“Providing your staff with engaging and innovative learning programmes to promote genuine cultural change and understanding is critical. The learning should be ongoing and regular, short and practical, adaptive and personalised with the option to learn inside and out of work hours.
“RESILIA’s new cyber awareness learning modules include games, simulations, animations, videos, eLearning, posters, plus refresher learning and ‘up-front’ tests to meet the demand for both operational efficiency and learning effectiveness.”
Mark Jones, Commercial Director at Unicorn Training, added: “The cyber resilience module is designed to suit all individuals regardless of their preferred learning style or when and how they like to undertake their learning, with SkillsServe supporting 24/7 mobile just-in-time learning at the point of need.
“This approach gets to the heart of cyber resilience – enabling all staff to take personal responsibility for better protecting their employer’s most valuable and precious information.”
SkillsServe is the World’s top ranked LMS for financial services and fourth overall in the learning industry-renowned 2016 Top 50 Global LMSs Report. For more information visit www.unicorntraining.com/off-the-shelf-content/cyber-resilience/
As Dido Harding, TalkTalk CEO, described cybercrime as “the crime of our generation,” Unicorn’s Mark Jones talks cyber resilience ahead of Learning Technologies 2016.
Tucked away in the Chancellor’s 2015 Spending Review and Autumn Statement before Christmas was a little, but not insignificant nugget, that would have been missed by most commentators.
The government is committing £1.9bn by 2020 to support a comprehensive programme of cyber security prevention measures.
Recent high profile cases, including TalkTalk and VTech, have again highlighted how the cost of cyber security breaches is rising dramatically. Yet too often technology is still seen as the solution, when in reality it’s regularly reported upwards of 90% of successful breaches are down to human error.
In the wake of their breach, Dido Harding, TalkTalk CEO, described cybercrime as “the crime of our generation,” and moves like the Government’s budget pledge merely serve to reinforce her view.
Last summer, we partnered with AXELOS – a joint venture between the UK Government and Capita plc – to help raise awareness of the critical importance of staff engagement in countering the threat of cyber crime following the launch of AXELOS’s RESILIA Cyber Resilience Best Practice portfolio.
The aim was to provide a platform – SkillsServe – for RESILIA’s suite of cyber resilience learning modules to help address an issue that is infinitely more about people and training than computers and technology. Critically SkillsServe’s ISO 27001 security rating confirms its status as a secure portal, free of the vulnerabilities experienced by other open source, higher risk solutions, while SkillsServe’s position as the World’s top LMS for financial services adds further credibility the learning.
In this month’s T-C News, Unicorn’s Commercial Director Mark Jones analyses how effective and engaging training can help firms better manage their ever-changing cyber risks.
Backed by the expert insight of Nick Wilding, Head of Cyber Resilience, AXELOS Global Best Practice, Mark observes how “no matter what you’re doing to improve cyber resilience and raising the awareness, skills and insight amongst all your staff you can never do enough,” before concluding, “The impact of not engaging all your people is too great a risk to take for most – are you ready to make a change?”
Meanwhile if you want to learn more about getting your staff up to speed with cyber resilience come and see us at Learning Technologies 2016 conference and exhibition, at Olympia, London on Wednesday 3 and Thursday 4 February, where Unicorn will be on Stand P14. Register for free entry to the Learning Technologies and Learning and Skills 2016 exhibitions and seminars at www.learningtechnologies.co.uk