Based on recent reports out of Bangladesh, it looks like malware can steal at least $80 million. Apparently, a mere typo by the thieves prevented the loss of much more. Some people find it hard to believe that such large sums can be stolen without any overt insider assistance.
After reading this story, a friend said to me “This is crazy. What percentage would you say start off as ‘inside’ jobs? To me a majority start from within.”
A 2013 report by Clearswift said
…more than half of all security incidents (58%) can be attributed to the wider insider family: employees (33%), ex-employees (7%) and customers, partners or suppliers (18%).
So, my friend is right.
But to suggest that malware alone couldn’t help a gang steal $1 billion is old thinking. Stuxnet and Carbanak are two high-profile examples of doing great damage from a distance. And both of them started by using social engineering to pierce the human firewall.
Some people say the human firewall is irreparably broken. While I wouldn’t exclusively rely on it, there’s no need to give up on your people completely. A good blend of countermeasures across the people, process, technology, and management dimensions is the best approach. And using the NIST Cybersecurity Framework (CSF) to organize yourself makes great sense.
Not sure where to begin? Drop me a note and I’ll be glad to point you in the right direction.