Our information security staff came across an especially-interesting and pertinent interview made available by Bankinfosecurity.com this past week. In this interview, the president of a southeastern community bank with $100 million in assets shares his experience with corporate account takeover and the overall impact that this breach had on his institution. He reviews the incident in detail and explains the bank’s response, focusing on certain lapses in controls and control considerations that contributed to the successful execution of the breach. Incidents like this one have served as a precursor to the much-anticipated revisions of FFIEC guidance on online banking and authentication—revisions that could introduce a new set of standard for both technical controls and vendor due diligence, particularly for small and midsized financial institutions who rely heavily on the security measures provided by third-party processors.
More startling lessons learned from the incident are the following:
- Mistakes were made on the part of the end user (the customer), the bank, and two third-party service providers. It was the bank, however, that took the biggest hit, as fines levied against it greatly exceeded the amount of money lost by the customer. This doesn’t even consider reputational damage, time, frustration, and legal fees.
- While attackers have historically gone after large financial institutions, this incident shows that no bank is too small to fall victim to attacks.
- While a lot of time and effort, especially by state and federal governments, being focused on the protection of personal accounts, corporate accounts have been largely ignored. This is counterintuitive, as corporate accounts usually have much higher balances – and therefore much more for attackers to gain – than personal accounts. The interview repeatedly referenced ambiguous language in place to protect corporate accounts. “Reasonable” security controls doesn’t really mean anything, as it is a completely objective word.
GraVoc Associates, Inc. is based in Peabody, MA, and its information security practice has been serving customers in the financial services industry for over ten years in the areas of risk management, IT assurance, and audit. GraVoc also offers solutions in the practices of IT and network services, information systems, media production, and professional services. For more information about GraVoc, please visit https://www.gravoc.com.