Almost half of all Swiss companies have already been the victim of a cyberattack. The target of such an attack is data that can be turned into money, or the possibility of stealing large sums of money digitally. This is why cybersecurity has never been more important and topical, especially in the banking sector. One way of finding and eliminating vulnerabilities in your own system before an attack can take place is the so-called Bug Bounty Program. We tested it – and gained some surprising insights.
Cinema and film fans can certainly remember the movie «Entrapment» from 1999. In this film, the Clearance Bank in Singapore is to be robbed on the night of the turn of the millennium by taking advantage of a brief power cut. To do this, the thieves must gain access to the building. They acquire a copy of the access card to the secured server room and the associated access codes on the black market. They also find the building’s blueprints and use them to gain access to the server room. There they connect a specially programmed laptop to the central computer, and in this way try to steal several billion dollars. We’ll leave it open at this point whether they succeeded – after all, we don’t want to spoil the fun. 🙂
Danger from cyber attacks
Today – twenty years later – buildings and access monitoring systems are no longer an obstacle for criminals; for a long time now, thieves have not necessarily had to expose themselves to physical danger through burglary. Instead, cyber criminals, also known as hackers, gain access to computer systems and remotely maintained machines, for example by introducing malware, obtaining access data through phishing e-mails, or by deliberately hacking into other people’s networks. In doing so, they damage the reputation of companies, deface and manipulate their websites, or extort large sums of money by threatening to publish the stolen data. A horror scenario for any bank!
Attacks on SMEs and banks
Cyberattacks have also increased sharply in Switzerland – almost half of all Swiss companies have already fallen victim to one. It must be assumed that an attack costs an SME an average of CHF 5 million (source: presentation Bug Bounty Switzerland, 21.07.2020). At the same time, the loss of trustworthiness vis-à-vis customers is imminent.
Banks have been particularly popular targets since cybercrime began. In many cases, criminals use phishing methods to gain access to e-banking accounts. Another variant is the so-called CEO fraud. In this case, the perpetrator uses fake e-mails to order transfers from the accounting department in the name of a superior – and before you know it, large sums of money mistakenly change hands. Another often underestimated risk lies in a company’s infrastructure connected to the Internet: remotely maintained production machines, heating systems or even building technology are popular targets for hackers.
In the digital world, the question is not if you will be attacked, but when (source: HWZ CAS Cybersecurity, Compliance & RegTech lecture, Umberto Annino, 17.10.2020). Therefore, prevention is the word of the hour. In banking, the greatest importance is attached to maximum security of the infrastructure when working with IT partners in order to protect the data and ultimately the assets of the customers.
Cybersecurity at Bernerland Bank
Security, especially in the area of IT, is a particular concern for us at Bernerland Bank. That is why we work with established partners, including Swisscom (Schweiz) AG, Finnova and Esprit Netzwerk AG. Raising our employees’ awareness of security issues and regularly testing our infrastructure are top priorities for us. We have underpinned this focus once again in our collaboration with Bug Bounty Switzerland: In August 2020, we decided to conduct a Reality Check, i.e. a time-limited Bug Bounty program, for one of our IT systems.
Bug Bounty Program
In the Bug Bounty Program, ethical hackers search for vulnerabilities, or «bugs» within an existing IT environment; all legally under a contract relationship and for a fee. Hence the word «bounty» which means reward. Such programs are now part of the IT security standard at internationally active companies and can be set up either publicly or privately. In a publicly advertised program, anyone with hacking expertise is free to participate. In private programs, only selected hackers receive an invitation to participate.
Before the start of our Reality Check, we agreed on the following general conditions with Bug Bounty Switzerland:
- We defined a self-contained IT system of Bernerland Bank as the test object.
- We have limited the duration of the check to a maximum of two weeks.
- We invited four ethical hackers.
- As a bounty, we have set a sum in the lower 5-digit range.
Important to know: In the Bug Bounty Program, participating hackers only receive compensation if they uncover a vulnerability. The amount of the reward depends on the severity of the vulnerability found: low, medium or high critical.
So, how did it go? Our findings after the first-ever Bug Bounty Program.
To say it right away: The result was sobering. Our Reality Check lasted only three days. During this period, the hackers uncovered four critical security vulnerabilities. This meant that the budget had been used up. The vulnerabilities found would have allowed a hacker with criminal intent to manipulate the tested system. Thanks to the detailed reports from the Bug Bounty Program, we were able to identify and close the vulnerabilities immediately.
What to do when it happens?
If, contrary to all security precautions, a company has become the victim of a cyber attack, the damage incurred and its extent must be documented quickly and appropriate measures taken, whether in the form of backups or in communications with customers, suppliers and partners. It is essential to define and practice the procedure in advance. Acting professionally in a difficult situation strengthens the company’s reputation and maintains external trust. If cyber insurance is in place, the attacked company receives support from specialized teams in restoring the IT infrastructure and data as well as in communication and legal issues, depending on the scope of the insurance.
Conclusion
We have learned from our first Bug Bounty Program that measures such as employee training, traditional security tests and careful selection of our IT partners form a good basis in the area of cybersecurity. At Bernerland Bank, regular Reality Checks like the Bug Bounty Program will remain important because we are convinced that they help us maintain the security of our IT infrastructure – knowing that no system is 100 percent secure. Nevertheless, we can use Reality Checks to identify vulnerabilities at an early stage and minimize risks. Based on the experience we have gained, we also consider it valuable for our SME customers to reassess their individual IT environments from this perspective. We will all succeed even better in the digital transformation if we add the dimension of cybersecurity testing to our risk management.
