Bank employees using social networks at work: danger or mere distraction?

Banks always have been a lure for attackers, and while new technologies help to improve client service, they also create additional information security risks.

Cyberattacks on banks frequently start with criminals persuading employees of a financial institution to open specially crafted malware. Positive Technologies expert Timur Yunusov explains below if it makes sense for banks to ban workplace use of social networks to reduce the risk of such attacks.

Employees: the weak link in security

Most cyberattacks on banking infrastructure rely on social engineering. By smoothly manipulating bank employees in correspondence or conversation, criminals frequently manage to penetrate a bank’s internal network. In the case of a targeted attack directed at many bank employees—we know of attacks targeting 10 to 50 (or even more) employees at the same time—we can safely assume that at least one of them will open malware attached to an email message, therefore infecting that employee’s computer.

Research performed by Positive Technologies demonstrates that information security awareness among employees remains low. Employees often open potentially malicious attachments and act in a way that may jeopardize the security of the company\’s infrastructure. Unfortunately, awareness is still low at companies where employees undergo information security training.

One of the most effective tools for a hacker is the telephone—in 100 percent of cases with the clients we audited, our testers managed to convince the employee on the other end of the line to open the malicious file they had previously sent, or even to disclose the employee’s user name and password. Bank employees are a weak link in security, and therefore financial institutions have to think about how to reduce the risk of attacks on their staff.

Putting the social network controversy in perspective

Considering all the above, banning workplace use of social networks might seem to be a safe and sensible step. After all, popular online services are another way for attackers to spread malware.

But in reality, social networks are less useful for fraudsters than the phone, for instance. To persuade employees to perform a certain action, attackers first need to create relationships and earn trust. Targeted attacks via social networks are a time-consuming process that usually takes a week or more. Timing is trickier too, since if the attacker sends the malicious software or link when the employee is at home, the malware will infect the employee’s computer, instead of a bank computer.

Sometimes attackers hack the accounts of the target employee’s friends. In this case, success is more likely because people trust their friends more than they trust strangers. But performing this attack at any kind of scale against bank employees via social networks is quite difficult and has no guarantees of success. Overall, emails and phone calls are much more effective for hackers.

To ban or not to ban

Statistics show that employees of financial institutions are at risk and are the logical first target for hackers. Many methods are available to hackers for this purpose, including social networking websites.

But banning use of social networks may actually be counterproductive. After a ban, employees could switch over to other communication methods (for example, email and phone) that are statistically riskier with respect to social engineering.

In addition, outright prohibitions may not work and instead push employees to seek dangerous workarounds. At a minimum, any ban must be reinforced by training to educate employees on the basics of information security.

The more effective and reliable choice for banks and other businesses is to combine security awareness training with use of special protection and attack detection tools, such as security information and event management (SIEM) and web application firewall (WAF) solutions.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.