A major cyberattack stands as further evidence that organizations of all kinds, and especially those that handle sensitive digital assets, need to make information security awareness training a priority for all employees.
A security firm recently revealed one of the biggest bank heists in history. Over the course of many months, the criminals stole as much as $1 billion from banks and financial institutions around the world. They committed this massive theft without guns, lock picks or any of the other traditional tools of the bank robber. Instead, they utilized malware and phishing tactics to commit their crime.
This incredibly effective, successful cyberattack stands as further evidence that organizations of all kinds, and especially those that handle sensitive digital assets, need to make information security awareness training a priority for all employees.
“The diversity of the targets is one of the most striking aspects of the hacking effort.”
A massive theft
The theft was first detected by cybersecurity firm Kaspersky Lab. In total, Kaspersky Lab estimates that as much as $1 billion was stolen via a large number of raids, each of which was limited to $10 million or less. These attacks were not limited to a single organization, but rather encompassed more than 100 financial firms located in 30 nations including the United States, China and, most commonly, Russia. The diversity of the targets is one of the most striking aspects of the hacking effort.
“These bank heists were surprising because it made no difference to the criminals what software the banks were using,” said Sergey Golovanov, principal security researcher at Kaspersky Lab’s global research and analysis team, Bloomberg reported. “It was a very slick and professional cyber-robbery.”
The cyberattack began in 2013 and remained undetected until recently. During this time, the cybercriminals used their illegally gained access to steal in a variety of ways. In some cases, the culprits seized control of ATMs, causing them to dispense cash at certain times. In others, the cyberattacks simply added funds to their online accounts.
A cautionary tale
The variety of the cybercriminals’ targets and methods demonstrates several important concepts. First and foremost, this diversity shows that the cybersecurity failure was not limited to a single institution, but was instead very widespread. And as Golovanov pointed out, it did not matter what kind of software the targeted banks used – the cyberattackers were able to infiltrate their systems regardless.
This is due to the fact that the cyberattackers relied largely on phishing and malware to hack their victims. The hackers used botnets to send malware-ridden emails to bank employees. According to The New York Times, these emails frequently took the form of news clips or appeared to be from colleagues. Those employees who opened these emails and clicked on the files or links they included allowed the hackers to gain access to the bank’s network. Once the hackers achieved this level of access, they effectively had the opportunity to fully explore and take advantage of the financial institution’s computer systems.
No matter how strong an organization’s cyberdefenses are, there is simply no way to fully discount the human element. And as these tremendous thefts demonstrated, this vulnerability can have massive consequences for affected organizations.
It is therefore imperative for leaders in the financial sector and beyond to embrace strategies that can reduce the threat posed by phishing and related cyberattacks. That’s what makes information security awareness training such a critical resource for decision-makers eager to improve their cybersecurity. Through training and education, employees can become far more savvy, learning when to trust emails and when to be skeptical. Staff can also begin to understand how big an impact their actions in this area may have, which should lead many employees to exhibit more cautious behavior.
Only by embracing cybersecurity training can enterprises effectively prepare their personnel to remain defended against the increasingly sophisticated threat that hackers pose in every industry.