Silicon Valley Bank appears to have failed for a simple reason – mismatching of maturities of assets and liabilities . . . a basic bank management principle. Deposits were short-term and invested assets were long-term. When depositors wanted to withdraw their cash, the bank was faced with liquidating long-term investments (e.g., bonds, which were trading at interim depressed values because of recent interest rate increases). The bank was squeezed and literally ran out of cash. Early signs are that the bank had adequate capital, but mismanaged (mismatched) the maturities of deposits and investments.
In other words, it was not the system. It was the people.
In IT security, the same principle often holds true. One of my favorite reminders is that heartbeats are more vulnerable than hardware.
In the early days of data processing, it was the reverse. With some basic internal controls, honest people (most employees) posed very little risk to secured systems, data, or accounts. Outsiders had almost no ability to access our computer systems.
Then came the Internet, connectivity and external networks with hardware being the primary risk point. Over time, technology became less prone to outsider attacks and data encryption became more prevalent.
For a short time, the good guys were winning. However, the bad buys noticed some disgruntled employees were able to cause havoc from inside their companies.
So, the bad guys started targeting employees with their schemes – not just disgruntled employees, but even well-meaning, loyal employees. People had become more vulnerable than the system.
Of course, you need the right systems, controls, processes, and security in place. But this is relatively easy to do. It is not easy, but it is relatively easy . . . compared to changing employees’ behaviors. People generally want to help and want to do the right thing. Scammers know this and prey on this.
Thankfully, some bad actors have turned and now work against the scammers. They teach us the tricks and antidotes to counter the schemers. But we must do our part.
Employees, and anyone with access to your systems, data and accounts, need security awareness / phishing training and multi-factor authentication to stop scams.
Security awareness training helps us know what we need to do; multi-factor authentication helps us do what we need to do.
While not a substitute for training or authentication, if you have any sense of a request that seems as if it could be fake, please pick up the phone and make a call to the person using a phone number you know to be the requestor’s phone . . . not one listed in an email.
If you have the responsibility for systems and data security, please do not rely entirely on your IT team to protect you with their capabilities, processes and hardware. Employees, even well-meaning ones without recurrent training and multi-factor authentication, can overcome most technology and put you at risk.