A year ago, I blogged about the Carbanak hacking and thought that it was a wake up call for financial organizations to improve their internal systems and processes to protect themselves from patient hackers. The alleged patient hacking reported this week at the central bank of Bangladesh shows that the lessons have not been learned. There is too much of silo thinking in large organizations – cyber security is still thought to be the responsibility of some computer professionals. The reality is that security has to be designed into all systems and processes in the entire organization. Institutions like central banks that control vast amounts of money need to defend in depth at all levels of the organization. Physical security, hardware security, software security and robust internal systems and processes all contribute to a culture of security in the whole organization. In my experience, even senior management at large banking and financial organizations have a highly complacent attitude towards security that makes the organization highly vulnerable to a patient and determined hacker.
For example, there is no reason not to have a dedicated terminal for large (say $100 million) SWIFT transactions. Cues like dedicated hardware tends to make humans more alert to security considerations. In the paper world, we went to great lengths to institutionalize such cues. For example, the law on cheques permits cheques to be written on plain paper (the law only says “instrument in writing”), but in practice it was always written on special security paper. The importance of keeping blank security paper under lock and key was drilled into every person who worked in a bank from the chairman to the messenger boy. I have yet to see any similar attempt to inculcate a culture of computer security in any bank.