The evolution of cybercrime continues. The preferred target in the financial industry is moving from the bank customer to the employee.
That is according to the FBI, which issued a warning earlier this week that the latest trend by cybercriminals is to get employee login credentials, using spam and phishing emails, keystroke loggers, and Remote Access Trojans (RAT).
And the best way to fight it? That leads to the ongoing debate over training vs. technology. While most security experts say both are necessary, and the FBI provides a list of training recommendations and policy protocols to keep employees from giving up the keys to the financial kingdom, some experts like George Tubin, senior security strategist for Trusteer, say improved technology is the only effective solution.
"Part of the solution is training," he said. "But we've been talking about this for so long, trying to educate customers and employees. It has become one of those battles I don't think we're going to win."
"Some of the ploys are so good they could fool almost anyone -- very sophisticated schemes like web injections and email from friends that lead you to open an attachment. The real answer comes in automated technology, to make sure people don't respond to those things," Tubin said.
He also noted that the trend toward employees working at remote branch or at home, the BYOD (bring your own device) trend and being allowed to surf the web off the corporate network "makes them extremely vulnerable."
Brian Berger, vice president at Wave Systems, agrees. "Users are going to be users no matter how strong the security awareness education is, so it is critical that organizations have a counter measure in place to help mitigate threats like these," he said. "Specifically, hardware authentication through the Trusted Platform Module (TPM) makes it so the criminals couldn't penetrate even if the employee had a misstep."
Kevin Flynn, a senior product manager at Fortinet, compares training to driver education for teens. "Drivers Ed may help reduce accidents but it doesn't necessarily make teenagers safe drivers," he said. "Security belongs in the network."
However, Scott Greaux, vice president product management and services at PhishMe, said, "Education is an organization's best defense against these threats but those efforts need to break away from the traditional security awareness model and employ creative and immersive education techniques such as mock phishing exercises that both improve awareness and increase retention."
Greaux doesn't rule out better technology as a factor. But he said the human element can heighten security in protocols. "Financial institutions should implement a mix of random and threshold based reviews for all wire transfers," he said. "This will add an extra layer of human interaction with transactions making it more challenging to fraudulent transfers to go unnoticed."
Sign up for Computerworld eNewsletters.