Code source for encryption and other cybersecurity software is a sticky topic for many in the information security world. In one camp, you’ll find those who champion open source software as being inherently more secure. And opposite them, you’ll see those who say proprietary is the only way to go since open source has no accountability attached to it. The broader open-source vs closed-source debate has been raging for decades, since the early days of software. Both sides have their prominent proponents and just as prominent opponents.
Banks and other financial institutions are suffering under the weight of a staggering 238% increase in cyber attacks since the beginning of the Coronavirus pandemic and ensuing lock-downs. While there are myriad reasons for this added attention from bad actors, the simple fact remains that these organizations are vulnerable due to broad attack surfaces that include numerous distinct endpoints.
The coronavirus pandemic has caused, among many other things, a massive uptick in the number of companies shifting to a work-from-home model. And with that shift has come a renewed focus on email security, since workers are now conducting their conversations on whatever device they have to hand rather than their (hopefully) encrypted and secure work computers.
Let’s say you’re a pizza delivery person showing up at someone’s home: you expect him to pay for the pie you’re delivering, but when he opens the door he claims that he never placed an order and won’t accept the delivery. If the order was placed over the phone, there’s not much you can do. Someone might have spoofed the phone number in order to perform a prank, and there’s no real way to prove who actually placed the order. Luckily, the order was actually placed via a delivery app—meaning that the recipient had to sign in to an account associated with his address and credit card. Once you pull up the app on you phone and show the nogoodnik a record of the transaction, the jig is up, and he’s forced to pay out.
If you’re drawn to Thunderbird as an email client, there’s a good chance that you’re more security-conscious than the average internet user. The majority of email users across the web aren’t going to get excited about a free, open source, cross-platform email client that stays true to the tenets of the Mozilla Manifesto—but for those who do, Thunderbird presents an attractive alternative to some of the more well-known email clients on the market. That said, it doesn’t offer encryption protection for your emails right out of the box.
SWIFT CSP’s mandatory controls get more numerous and stringent with every yearly release, and it can be difficult for even the most tech-savvy banks to keep pace. Beginning in July 2020, for instance, self-attestations will require independent audit assessments that cover at least the mandatory controls. This audit can be conducted by an internal or external team, but SWIFT seems to be pushing for (and in some instances requiring) outside assessors to help banks understand their own compliance pictures.
In a survey of several thousand IT professionals across a dozen countries, 57% of respondents said that encryption key management at their company was “painful.” In a similar study, the risk and cost associated with key management was, on average, rated a seven out of 10. Those percentages change from year to year, but as the importance of encryption becomes increasingly obvious across different sectors, the total number of businesses dealing with serious encryption key pain is only going to go up.
Right now, your bank is probably vulnerable to costly cyber attacks. Why? Because, like most financial institutions, you probably haven’t implemented end-to-end encryption or robust endpoint protection. It’s easy to understand why something like this could fall through the cracks—no one wants to shell out for a complex software solution whose purpose they don’t fully get—but the next big cyber bank heist is coming, and you probably don’t want to be the victim.
When SWIFT messages are utilized in bank heists like the 2016 Bangladesh Bank attack, reports often refer to SWIFT having been “hacked.” In reality, it’s the banks themselves that have had their cybersecurity flaws exposed, and the SWIFT network was only used as a tool for the fraudsters to gain the trust of the financial institutions that are performing the transfers. This might seem like a small nit to pick, but in some ways it’s an important distinction to draw. Why? Because it centers “trust” as one of the most important elements of both successful fraud and successful fraud prevention.