Leakage of banking information
The degree of economic stability depends on the vulnerability or reliability of the banking system. Corporate accounts, deposits and deposits of individuals are defenseless against professional cybercriminals. But in addition to direct theft of funds from accounts, leakage of banking information entails other negative consequences. The development of measures to protect against leaks is becoming an important task for the banking community and government regulators. Arrays of banking information belong to a separate type of information protected by law - banking secrecy, which is protected by Article 6 of the Law "On Banks and Banking Activities".
Types of threats
Threats associated with information leakage in the work of credit institutions are divided into two groups: internal and external. The first are:
- mistakes or deliberate actions of employees aimed at stealing information;
- insufficient competence of employees of information or economic security services.
- direct actions of competitors aimed at obtaining information constituting a commercial secret of banks and their clients;
- the activities of hackers who steal information in order to harm or conduct their own PR campaign;
- activities of foreign intelligence services seeking to obtain information about the maintenance of contracts, in the implementation of which there are data related to state secrets.
At risk are not only participants in the banking system, their branches or departments, but also other organizations that lend to individuals or legal entities, microfinance. Their databases can also be of interest for cybercrime, and the degree of protection is significantly lower. The main interest in the field of industrial espionage for competitors is such data as:
- strategies of banks and their clients;
- data on mergers and acquisitions;
- new technologies used;
- cases of violation of the banking legislation;
- implemented scoring systems (risk assessment methods).
Direct and indirect losses
Banks as economic entities suffer from information leaks from the point of view of the image component and financially. The structure of financial losses is divided into direct and indirect losses. The direct ones include:
- fines from regulators or changes in the parameters of certain standards related to the regulation of banking activities;
- compensation for harm to customers, information about transactions or accounts of which has leaked, and as a result they have suffered certain financial losses;
- the cost of developing software products and technical solutions that increase the level of protection;
- the use of negative information in the competition, leading to a churn of customers.
Consequential damage especially affects banks that issue securities that are listed on the Russian or foreign markets. Any leaked negative information leads to a decrease in the quotes of these securities, as well as the credit ratings of such banks, issued by the world's largest rating agencies. The amount of such immediately undetectable damage can be significantly higher than direct losses.
From the point of view of insider legislation, cases of information leakage from banks about contracts, activities, mergers or acquisitions of their clients, which affected the value of clients' shares on the stock exchange and served as the reason for the exchange enrichment of a private bank employee, in rare cases turn into losses of the credit institution ... But they can cause multimillion-dollar damage to individual enterprises or industries, and identifying such cases is extremely difficult, which is an independent problem. Bank security services are not interested in preventing such illegal use of confidential data, as publicity will damage the bank, and sometimes the security officials themselves are the culprits of the illegal use of information. The legislation in this area practically does not protect the clients of credit institutions.
As practice shows, the most frequently used technical modern leakage channels. Gone are such methods of intercepting information as the installation of embedded devices, devices for reading electromagnetic waves. Their installation requires penetration into the facility, and the degree of physical protection of large banking institutions is increasing every year, not least thanks to the work of the Bank of Russia, which sets requirements for material and technical security and security measures for the information system.
Communication channels and all channels of information leakage associated with the actions of employees or the bank's management, internal violators remain vulnerable. Illegal copying and transmission of information cannot always be tracked, even taking into account the multi-level system of access to banking software products and databases, which contain basic information. If it is necessary to make daily backups of the entire bank database, the degree of control over the protection of the copied data can be reduced. Manipulation of accounts and passwords is still available. The fight against such actions should be based on the implementation of modern information security standards.
An unexpected danger can be posed by settlement and clearing centers, the SWIFT system and electronic payment systems that daily process millions of transactions, have the ability to accumulate and analyze important commercial and personal information and are not bound by the requirements of Russian legislation to protect bank secrets. So far, no cases of using these resources in the information struggle have appeared in the public space, but this is not excluded.
For insider information and its use, leakage channels often become not penetration into information systems, but a conversation heard at a meeting or a document sent for examination. Such situations are not regulated by the standards of the Central Bank of the Russian Federation, since they pose an indirect threat to the system, the victim is an indefinite circle of participants in the securities market.
The Bank of Russia assumes the main methodological role in the development of means to protect banks from leaks. He is responsible for the preparation of Standards governing the activities of economic security personnel and IT departments. Currently, the norms of the provision of STO BR IBBS-1.0-2014, which are recommendatory in nature, are in force, as amended in 2016. They consider:
- responsibility of banking institutions for the safety of processed information;
- the need to strengthen control over employees;
- methodology for developing systemic measures to protect information.
Among the measures recommended by the standards:
- determination of various degrees of value of information;
- defining the categories of internal actors - potential violators;
- identification and protection of leakage channels;
- application of system software and hardware solutions.
To create an efficiently working system of protection against information leaks, it is necessary to develop and implement an organizational and technical protection perimeter. Among the technical solutions, the most effective will be the development of a DLP system for the needs of a particular bank (Data Leak Prevention), which is a combination of complex software that prevents the leakage of bank secrets outside, as well as technical devices. The system monitors the entire perimeter of information exchange and, if atypical traffic is detected, it independently decides to stop it. Modern DLP systems can detect and stop incorrect data exchange not only from devices - computers, printers, scanners located in the bank premises, but also from laptops of employees who are on the road.
Hardware and software protection measures should not diminish the role of internal control services, whose functions include identifying atypical transactions and contacts. The development of methods and instructions for behavior, checklists for checking the correctness of each transaction should prevent many cases of loss of confidential data associated with the human factor.
The responsibility for the safety of information lies not only with the bank's management, but also with the employees. Protection of the most important object - bank secrecy - must fully comply with the requirements of the law, be complete, comprehensive and do not allow the presence of uncontrolled zones.