In the world of cyber security, sometimes there’s good news and sometimes there’s bad news. The Telegraph recently reported that a fortuitous spelling mistake in an online bank transfer stopped a nearly $1 billion (that’s billion, with a capital B) heist in February 2016 involving the Bangladesh central bank and the Federal Reserve Bank of New York. That’s the good news. The bad news is that the thieves, who are still unknown, managed to get away with more than $80 million, which comprises one of the largest known bank heists in history (authorities report that some of that money has since been recovered).
Apparently, the hackers stole credentials for payment transfers and then made three dozen requests to the New York Fed to transfer money from the Bangladesh Bank to other countries. (Bangladesh Bank keeps an account with the Fed, which it uses for international transactions). Four of these transfer requests to move $81 million to the Philippines actually went through. But a fifth attempt for a $20 million transfer to a supposed Sri Lankan non-profit was held up by routing bank Deutsche Bank because the thieves misspelled the non-profit’s name. What should have been “Shalika Foundation” was spelled “Shalika Fandation.” When Deutsche Bank sought clarification from the Bangladesh central bank, that transaction and all others were stopped. While there are additional details in this case, the salient point is this: had the payment transfer to the invented Sri Lankan non-profit not been misspelled, in all likelihood, the crooks would have made off with another $850 million to $870 million.
This case demonstrates the worldwide impact of data breaches, cyber threats, and organized crime. Hackers are adept at finding weaknesses in most systems, even those thought to be secure. In this case, it looks like the weak link might have been employees who either knowingly or unknowingly shared information that should not have been shared. We may never know the extent of the breach in terms of security or who is responsible.
Whether or not employees were to blame for this major heist, employees are the most important assets in any organization. If they neglect good cybersecurity practices, the company’s overall cyber defenses are weakened. Instituting strong security policies and educating staff on these policies is important, but educating staff isn’t enough. There will always be bad actors, and the landscape of cyber threats is only becoming more sophisticated.
The first step to preventing good-intentioned employees from making critical errors that put your business at risk, here are three common cybersecurity mistakes employees make—and the best ways to address them.
1. Falling for Phishing
Phishing may be a common scam, but employees are still falling for it. Between late 2013 and August 2015, the FBI found that more than 7,000 U.S. companies were victimized by business email scams—with total losses exceeding $740 million. A single well-written phishing email can confuse employees into clicking a fraudulent link that installs malware on company machines, or can trick accountants into wiring money into false banks accounts purportedly owned by company executives traveling overseas.
Employees need regular training to remind them to be on guard against phishing attacks. Organizations can also implement strict security protocols. For example, security tools can be configured to make every emailed link employees click result in a pop-up that warns them to think twice before proceeding to the link destination.
2. Plugging in Mystery Devices
A common cybersecurity experiment is to leave unidentified USB sticks out in public to see how many people will take the strange devices and plug them in. In a recent case, researchers from the trade association CompTIA left thumb drives out in locations such as coffee shops and airports, and about 1 in 5 of the 200 people who encountered the devices plugged them into their own machines. If these USB sticks had been planted by malicious hackers rather than researchers, the individuals who plugged them in would have been exposing themselves to cyber attacks.
If an organization’s employees choose to plug in unfamiliar USB sticks left on company property by hackers, there is a significant chance that the company’s entire network may be compromised. Thankfully, network security monitoring can counter this threat. A basic element of network security monitoring is asset discovery and monitoring. This means taking inventory of what authorized and unauthorized devices exist on a network so that defense teams are not caught off guard by rogue equipment.
3. Using Weak Passwords
Passwords are a big source of cybersecurity risk for companies. However, if employees follow good practices for password management, organizations will be considerably more secure. One technique is to make passwords unique. Employees should use a unique password for each work account, and not the same password that they use for other purposes such as their personal social media accounts. That way, if their personal account is compromised, their work account won’t be affected.
Another technique is to make passwords strong. Cybersecurity expert Bruce Schneier offers helpful advice about how to create robust passwords. The reality is most passwords that can be easily remembered can also be easily cracked. The strongest passwords are randomly generated ones, and password managers such as KeePassX can store them so that users only have to remember the single password and not each individual one.
Although you won’t find many stories in which a typo is the hero and while poor spelling is generally not considered a positive, I think we can all applaud both in this case. That said, counting on all cyber criminals to be bad at spelling is not a cybersecurity defense. The best defense is a combination of strong security policies, good execution of these policies, regular employee IT security education along with the security technology, infrastructure, and services that will work together to thwart potential attacks.
A version of this post first appeared on the EiQ Networks blog