Based on recent reports out of Bangladesh, it looks like mal­ware can steal at least $80 mil­lion. Appar­ent­ly, a mere typo by the thieves pre­vent­ed the loss of much more. Some peo­ple find it hard to believe that such large sums can be stolen with­out any overt insid­er assis­tance.

Source: Kasper­sky Labs

After read­ing this sto­ry, a friend said to me “This is crazy. What per­cent­age would you say start off as ‘inside’ jobs? To me a major­i­ty start from with­in.”

A 2013 report by Clear­swift said

…more than half of all secu­ri­ty inci­dents (58%) can be attrib­uted to the wider insid­er fam­i­ly: employ­ees (33%), ex-employ­ees (7%) and cus­tomers, part­ners or sup­pli­ers (18%).

So, my friend is right.

But to sug­gest that mal­ware alone could­n’t help a gang steal $1 bil­lion is old think­ing. Stuxnet and Car­banak are two high-pro­file exam­ples of doing great dam­age from a dis­tance. And both of them start­ed by using social engi­neer­ing to pierce the human fire­wall.

Some peo­ple say the human fire­wall is irrepara­bly bro­ken. While I would­n’t exclu­sive­ly rely on it, there’s no need to give up on your peo­ple com­plete­ly. A good blend of coun­ter­mea­sures across the peo­ple, process, tech­nol­o­gy, and man­age­ment dimen­sions is the best approach. And using the NIST Cyber­se­cu­ri­ty Frame­work (CSF) to orga­nize your­self makes great sense.

Not sure where to begin? Drop me a note and I’ll be glad to point you in the right direc­tion.