Atlanta-based bank SunTrust is the latest institution to announce criminal meddling that resulted in potentially exposed data for 1.5 million clients. The organization believes that this could include names, phone numbers and account balances for the affected clients, but claims personally identifiable information such as social security numbers, account numbers, PINs, user IDs, passwords or driver’s license numbers were not exposed.
If you’re keeping score at home, you may be asking yourself how this breach is any different from any of the others that have been occurring lately. Unlike the headline-breaking hacks of Equifax and the endless update patches of Spectre and Meltdown, the SunTrust breach wasn’t caused by external forces hacking into their network, it was due to an employee who gained access to sensitive data.
SunTrust is amid an ongoing investigation, so a complete story isn’t yet available. The group began their investigation six to eight weeks ago when they found the employee attempted to inappropriately download client information. The case was disclosed publicly later, when SunTrust found the employee may have attempted to print the content and share it with an outside party.
SunTrust CEO William Rogers claims the attack was not a “data breach,” commenting that the employee who printed sensitive information was not authorized to access that level of information. SunTrust has since began reviewing its systems and capabilities to identify how such access was possible. Which begs the question: how did a former employee gain access to this sensitive client information which they weren’t privy to in the first place?
The Attack Method
Security is all about knowing who and what to trust. Criminals use social engineering tactics because it’s usually easier to exploit an employee’s natural inclination to trust something than it is to discover and test methods for penetrating your security. Often, these tactics use storytelling techniques to lure employees into a false sense of safety then exploit them into clicking phishing links, installing malware or even literally opening a door to let in a criminal. But what happens when these threats have a familiar face, say that of a boss or a cohort from another department?
So much of the news we have about data breaches is fanned with buzzwords like “hackers” and “cybercriminals,” but many organizations fail to account for the risk their own employees pose. Unless you properly educate and train your team that risks can come from the outside as well as from within, you’re setting them up for failure. Security is not a training session or a rulebook, it’s a mindset that must be instilled in each and every employee at your company.
Creating a Culture of Awareness
As we often say, the best weapon against criminals and cyberthreats is a robust educational program that trains your employees to identify and react accordingly to threats to your company. If your employees don’t know what to look for, how can they prevent an attack? The best way to view training and education in your organization is to make it a priority for everyone.
Cybercriminals don’t leave clues behind in the same way an employee stealing from a cookie jar might leave crumbs. That’s why it’s important to create a culture of reporting incidents and information sharing. By creating a unified account of peculiar incidents, you’re equipping your team to assess threats from the outside as well as from within and removing the silos of information that may allow a criminal to steal from you for some time.
When your security team catches a bad actor, allow them to debrief your team at large about the incident and how they responded to it, to teach your team the appropriate steps for navigating threats. Additionally, a robust IT policy for taking legal action in the event of an attack will help to dissuade any would-be criminals before they even think about testing your security protocols.
Criminal threats take a wide variety of shapes and forms and knowing how to spot a criminal is the first step in preventing attacks. From C-suite to entry-level employees, everyone needs to do their part to keep your company safe. Security is more than just strong passwords; any public-facing employee should be familiar with common impersonation tactics and how to respond when bad actors surface, even if they’re a friend or colleague.
When any of these red flags are identified, your team needs to submit them to management and your IT team immediately. Quick responses can mean the difference between a successful data breach and a prevented attack. By training your team to be an integral part of your security efforts, you magnify your safety tenfold.
Curious about what vulnerabilities you haven’t spotted at your own business? Contact us for a complimentary security audit.