Cyber and the human factor

I thought I had heard of most significant cyber breaches. The 2016 SWIFT hack of the Bank of Bangladesh was one I’ve only recently learned about from the Kaspersky sponsored documentary, produced by The CyberTree Paradox.

 

Bangladesh is one of the most hacked countries in the world, according to the Kaspersky Security Bulletin. In 2020, it had 8.12% of all ransomware trojan attacks. What makes this hack unique is the human element, also the subject of the documentary. A North Korean group is suspected of hacking the Bank, observing how transactions are made, and submitting fraudulent requests.

 

John Scott of the Bank of England explains that the Bank of Bangladesh sent 35 requests to the US Federal Reserve. These were coded correctly and signed cryptographically. They were rejected due to improper formatting and then resubmitted. These requests all appeared genuine and would have been paid had it not been for human intervention. Some $101 million of the requested $951 million was paid before the transactions were halted.

 

The human element doesn’t stop with the prevention of an even larger loss. Some of the funds transferred were then intended to be sent to Sri Lanka. Another human error flagged this transaction. The word “foundation” was misspelled, raising suspicion and an investigation into the transaction. This allowed the Federal Reserve to recover some of the funds sent. The remaining funds were sent to the Philippines and an instruction to put a hold on those funds was also sent. This instruction was sent over Chinese New Year and by the time staff were there to act upon it, they had already been withdrawn.

 

As cyber professionals, we often talk about people, process, and technology. People have played a more significant part in cybersecurity in recent years. There has been an explosion in the number of cyber awareness roles, training companies, and research into human behaviour on cybersecurity. We may not be able to train everyone to understand cyber attacks or spot minor errors, but we can empower people to speak up. If the security team has built strong relationships throughout the business, employees will be more likely to flag issues for investigation. If employees feel security enables them, they will be more likely to reach out.

 

CISO’s who can build strong business relationships, act as enablers and develop a security culture are the ones who have been in most demand. I believe the next stage for cybersecurity is to have all employees see cyber as their responsibility. We are not all accountants but most employees understand the need to spend wisely and make responsible purchasing decisions. We are not all HR professionals but we understand the need to treat our colleagues respectfully. The same needs to be true of cyber; we are not all cyber professionals but we understand our role in keeping our organisation secure.

 

As an industry, we use stories of cyber breaches to gain the attention of the people whose attention we need. Telling these stories gains their attention and puts their imagination to work. I’m surprised this is a story I hadn’t heard but I think it’s one that needs telling.

 

You can view the documentary here to learn more: https://bit.ly/3gzbJob