Network also says it will impose 'baseline' security standards
That sounds like a plan. Presumably that came from their Department of Comedic Papal Millinery Assessment, Ursine Arboreal Excrement Location and Miscellaneous Exsanguinary Obviousness
The SWIFT global payments system has announced it plans to suspend banks with weaker cyber defences until they improve their security. The threatened sanction follows a run of attacks on international banks over recent weeks, including the $81m mega-heist at the Bangladeshi Central Bank. These cyber-heists1 relied on hackers …
"Banks are already among the most heavily regulated organisations, thanks to regulations such as PCI and Sarbanes–Oxley"
PCI is Payment Card Industry, so a security standard set by banks, not something they need to comply with. And S-Ox applies to all companies listed in the US, not just banks. Were you thinking of Basel III, perchance?
The PCI standards are designed to be satisfiable by corner shops and service stations that handle credit cards (as well as much larger businesses). I'm not sure they'd add much to SWIFT.
I can't get my head round why this is even a problem. I understand why SMEs sometimes struggle to maintain adequate security, when they have limited budgets and It may not be seen as a core part of their business or very high value. But for a banking system specifically designed to handle multi-million (or even billion) dollar transactions many times a day without blinking - what lies behind inadequate protection for such a system? It can't really be simple stupidity and laziness, can it?
Those two points seem to be the bread and butter of the blackhat community.
If users (banking or otherwise) were always alert and professional, blackhats would have a hell of a harder time getting their objectives fulfilled and social engineering would be a theoretical concept.
Security is hard because IT is immensely complex. Add humans to the mix and breaches are practically inevitable in the long run. SWIFT needs to make the run longer than it is at the moment. Nothing like the one-percenters losing a fraction of a percent of their money to get some motivation into doing that.
The fact that it's international, that other national governments are involved in regulating (or preventing regulation), that banks are not necessarily trustworthy just because they're banks, and because there is an expectation that there will be a government rescue in the event of serious situation.
The usual first reaction I've seen in the last several incidents has been to demand a US government agency compensate banks for their losses, so it's clear they're focused on political solutions rather than technical solutions.
Biting the hand that feeds IT © 1998–2019