A thwarted cyberattack against a Vietnamese bank that exploited the SWIFT interbank messaging system underscores the security challenges for small businesses. If one of the most supposedly sophisticated secure messaging systems in the world can be cracked, what does that mean for small companies with fewer resources?
Vietnam's central bank said a foiled cyberattack on Tien Phong Bank (TPBank) using the SWIFT system, which banks use to securely send money around the world, sought to fraudulently transfer 1.2 million euros ($1.36 million) to a Slovenian bank last December, Reuters notes. The attempted hack, which relied on fraudulent messages — basically, transfer requests — sent through the Society for Worldwide Interbank Financial Telecommunication system, used “the same technique at the heart of February’s massive theft from the Bangladesh central bank” that resulted in a heist of $81 million, according to Reuters.
While the events surrounding SWIFT may make headlines and rattle those in high finance, they also highlight the need for businesses of all sizes to boost their security, notes Mike Chapple, senior director for enterprise support and assistant professor of computer applications at the University of Notre Dame.
Chapple told BizTech that while the security of the SWIFT system itself is not directly relevant to small businesses, SWIFT’s vulnerability serves to point out “the degree of sophistication attackers have.”
The attacks highlight the trend toward advanced persistent threats that have become more prevalent for businesses in the last few years, Chapple says. “If an attacker has a target in mind, and there is a significant reward there, the attacker is going to be sophisticated in how they go about attacking that target,” he says.
Small businesses owners and staff members who work on IT need to be thinking through the protocols they would follow if they became a target for a hacker — and the steps they should be taking to protect themselves, Chapple says.
The most important initial step companies can take is to make an inventory of the assets and data that are most critical to an attacker, he says. Those assets are likely the ones that will be most attractive to cybercriminals.
Businesses need to think about whether the attack would be directly financial in nature (attackers attempting theft of funds) or an attack in which company/customer data is held hostage in a ransomware attack.
Small businesses should also try to “take the attacker’s mindset” and conduct cybersecurity penetration tests, either as a thought exercise or a technical penetration test. “If I were trying to take this information, what would I do?” Chapple asks. “Where are the weak spots in our business processes and our technology that would allow me to get access to this information?”
If companies do a technical test to see how porous their cybersecurity defenses are, they should shore up any vulnerabilities they discover, and test continuously, Chapple says, to ensure that “as the threats evolve and change, your controls evolve with them.”
Some companies, Chapple notes, do have the tools and resources they need to fend off sophisticated attacks — and some don’t. Moreover, some don’t even know what tools they do have. “For the most part, it really comes down to, ‘What are the controls that we need around this information?’ And then piecing together the right solution.”
Developing the right suite of security technologies is a complex task for small businesses, Chapple notes. Organizations need to consider how the different elements of their security plan work together.
“You can’t just slap technology in place and expect it’s going to solve your security issues,” he says. “You really need energy and thought in designing the control environment and that it’s going to protect the assets the business has.”
Regardless of what kind of technology a company uses, whether it’s next-generation firewalls, authentication software or orchestration systems, Chapple says that “the technology has to be built in the context of a larger plan.”
Chapple also recommends that small businesses automate as much of their security as they possibly can. If, after performing an inventory, companies employ data loss prevention technology to monitor if sensitive information is leaving the organization, they can automate that kind of scanning, he says. Businesses can also automate vulnerability scanning.
That will give firms “a good sense of the health of your systems over time,” Chapple says. However, he notes that companies also need to make sure they have a running “to-do list for keeping your system secure and up to date.”