The morning of Tuesday, September 15, 2020, Diamond Security Co. Chief Operations Manager Ivan Ramrez was finishing up a basic security system installation in the offices of Silver Bank when a new cyberattack blasted financial entities around the world. The
The morning of Tuesday, September 15, 2020, Diamond Security Co. Chief Operations Manager Ivan Ramırez was finishing up a basic security system installation in the offices of Silver Bank when a new cyberattack blasted financial entities around the world. The financial entities that could defend themselves were those that had sufficient security protocols and the software necessary to face the pernicious attack. However, those that did not possess these mechanisms had to pay a high price for their lack of preparation. In the case of Silver Bank, its security system had multiple vulnerable points.
Cyberattacks on financial institutions seek to gain access to clients’ accounts to withdraw or transfer money. Gaps in the security systems are exploited to access critical information technology (IT) infrastructure. Some infiltration mechanisms include using the credentials of hacked accounts, sending phishing emails, using advanced anti-virtual machines (VM)/ Sandbox techniques and using malware-laced proxy applications.
On the day of the attack, Santiago Ore´, General Manager of Silver Bank, and Marcelo Tapia, IT and Organization Director, urgently called for a meeting with Ramı´rez and asked him to take immediate action against the attack. Ramı´rez left the meeting very satisfied with the agreements made therein, as he had been a firsthand witness to the devastation the attack had brought. He was forced to act quickly to safeguard not only the bank’s confidential information but also the money put at risk
Diamond security and its fight against cyberattacks
Diamond Security offered IT security packages to implement a system to protect the privacy of the information stored in its clients’ computer systems. This package was supplemented by various consulting sessions, training programs and awareness-raising measures for its clients’ employees. These practices aligned with Diamond Security’s vision for information safety, in which everyone in a client company was committed and involved.
Diamond Security’s satisfactorily implemented projects together with its years in the market had forged a reputation for the company. Moreover, the organization had invested in research on new internet-based threats, which made it possible to provide services to governmental organizations, as well as companies in the telecommunications, banking and insurance sectors.
The company had been founded at the end of the 1990s, when the internet was beginning its worldwide expansion. At first, its client portfolio was made up of small businesses that wanted to incorporate new technologies in preparation for the new millennium. Years later, when cyberattacks against all kinds of entities were on the rise, Diamond Security decided to specialize in providing services specifically against this type of threat. Its hard work and excellent service soon became recognized in its country of origin, and it was able to expand into other markets, as well.
By 2020, Diamond Security was operating in five Latin American countries (Colombia, Peru, Ecuador, Brazil and Chile), providing specialized IT security services. It possessed a technical team consisting of hundreds of employees all throughout its many offices and continued to work with both state and private entities.
In recent years, however, the company had been losing its competitive edge. Reports showed that it was being displaced by its competitors in the most relevant sectors: insurance and banking. Even so, in other sectors, it was possible to position the brand to obtain the desired results, but these clients represented just a small market share. Diamond Security decided its goal was to recover its position with clients in the financial sector, so management began using a strategy specifically directed at banks: security packages tailored to clients’ specific needs and vulnerabilities, along with upgrade programs
The goal set was to sign yearlong IT security service contracts with at least five financial institutions over a 12-month period. Additionally, once the contract was signed, opportunities to provide related services were to be analyzed so that Silver Bank could become the main cyber-security provider for these companies.
Although the established goals presented a challenge, the established action plan made them reachable. Ramı´rez, as the sales representative, attended meetings with potential clients to offer them Diamond Security’s packages. In preparation for these meetings, Ramı´rez and his team would start by running a diagnostic of the potential client company’s security situation so that the possible package to solve its particular problems could be presented. During these diagnostics, several recurring themes kept popping up:
-lack of understanding about the vulnerability of IT systems and risk control;
-lack of interest in information protection systems;
- low frequency of severe cyberattacks;
-lack of historical data on the damage caused by attacks; and
-limited budget for cyber-security.
Due to normative changes put in place by the Peruvian regulatory entity that supervised financial institutions’ IT security, companies were being forced to improve their IT systems. One of these companies was Silver Bank, which received proposals from various IT security providers: Diamond Security, Safety Web and Virus Block. In the end, its years of experience in the market tipped the scale in the favor of Diamond Security.
In mid-June 2020, the two companies came to an agreement. Diamond Security’s basic package would be installed over a period of three months, and the total price would be paid once approved by the regulatory entity. Although at first it appeared it would be a simple job, as the system was being installed, gaps were identified in basic systems, which made the project more complicated. This caused an almost 50% increase in the total price to be paid by Silver Bank, although the final installation date remained unchanged.
Silver bank and its presence in the Peruvian market
The services provided by Silver Bank included a product portfolio ranging from personal loans, mortgages and vehicle loans to credit and debit card services. It also offered different savings account and life insurance products, interbank transfers and benefits for its most faithful clients.
Silver Bank was founded more than 80 years ago and had both domestic and foreign shareholders. Despite the difficulties it had faced, the company had been able to expand its domestic operations by increasing its market share and expanding to the country’s major cities.
This expansion was made possible by the organizational structure, which emphasized commercial development through the opening of new branches throughout the country. That is how Silver Bank was able to increase its number of savings account clients and loan clients. As the years passed and the bank expanded its operations, it was able to make its presence felt throughout the entire nation. In addition to opening new branches, it partnered with bank agents in even the most remote parts of the country.
The trust its clients had in the bank was due to the great lengths it went to satisfy them. During the COVID-19 pandemic, things were no different: Silver Bank worked hard to protect its employees’ and clients’ health. Additionally, it carried out different projects to show solidarity with those affected by the pandemic to contribute to the common good.
As mentioned, Silver Bank had a broad product portfolio, and it had an even broader client portfolio. The sectors it worked with ranged from business to manufacturing, agriculture, mining, fishing, construction and real estate. It carried out loyalty campaigns for both small business owners and large corporations, not to mention its individual clients.
The bank was constantly working to improve its policies to satisfy its clients. Its deep-rooted philosophy puts the client at the center of its decision-making process. Therefore, it invested a great deal in employee training at every level. Moreover, this customer-centric culture and overarching goal of customer satisfaction carried over to its virtual platforms.
Ore´, in his strategic leadership role in Silver Bank, was well aware of the importance of investing in IT to guarantee the effective delivery of the services offered and to maintain clients’ trust; that is why he wished to expand the bank’s vision. With this in mind, he scheduled numerous meetings with Tapia and Ramı´rez to try to understand how the IT area worked, as well as what its needs and contributions were, to revise the company’s vision statement. However, most members of the Silver Bank board of directors did not consider this new vision very important and thought that the bank was already investing enough in IT, as it was.
At Silver Bank, Tapia led a team of engineers in charge of IT infrastructure and operations who were all following the security policies instituted five years ago. This team was trying to carry out, albeit in a very general way, a business continuity plan (BCP) and a simplified processes outline for disaster recovery planning (DRP) in case any threat to cybersecurity ever came up. Additionally, Ore´ had taken Ramı´rez to several meetings with the board of directors so that Ramı´rez, as an expert, could explain the importance of increasing the bank’s investment in cybersecurity and of formulating an IT strategy more heavily focused on cybersecurity. In multiple meetings with the board of directors, Ramı´rez had suggested that it would be ideal to implement a new manager-level role: a Chief Information Security Officer, who would be in charge of developing a security strategy, developing a risk mitigation strategy and effectively monitoring how security resources were used, as there was currently no specialized, cybersecurity-focused team within the IT area.
Another suggestion that Ramı´rez had, since Diamond Security had carried out several external audits of the bank’s security systems, was the implementation of ISO 27001 standards to ensure that the bank’s processes complied with international security standards. The Diamond Security audits had identified vulnerable points related to the lack of updates in the Secure Socket Layer cryptographic protocols and the public–private key infrastructure. These were both vital elements to ensuring that information remained secure.
However, one issue the company could not ignore was cyberattacks. With the expansion of the Internet and its integration into all of the bank’s operations, the risk of infiltration was inevitable. No financial entity can permit classified information to be leaked, but this was hard to get management to understand, due to the complexity of the matter and management’s belief that investment in security would not be profitable.
Based on the cases, What are the risks that can be identified in the case?(with explanation).