Security

05:30 PM
Connect Directly
Facebook
Twitter
Google+
RSS
E-Mail
100%
0%

What Banks Need To Do After the JPMorgan Breach

If breaches are inevitable, banks need to know how to respond to them.

Banks have historically been at the forefront of IT security, but even the best defenses might not be enough in today’s environment of unending data breaches. Last week, Bloomberg News broke the story of a major cyber attack that had infiltrated JPMorgan Chase’s network, and possibly that of other major financial institutions.

The breach of JPMorgan Chase seems to have resulted from a malware infection on an employee’s personal computer via a phishing attack, according to media reports. Hackers then penetrated the bank’s network through a VPN from the infected computer.

“This points out -- it doesn’t matter how good your security is -- human error can bring you down,” says Adam Levin, founder and chairman of IDT911, a data security solutions provider. “These spear-phishing emails keep getting more sophisticated. It was reported that RSA got breached by one about a year ago. And RSA is arguably the most secure company in the world.”

[For more on data breaches: What Banks Can Learn from the Target Breach.]

Banks may now need to come to grips with an environment where breaches are inevitable, regardless of their huge investments in cyber security. (JPMorgan Chase said it would raise its cyber security investment to $250 million this year in a letter to shareholders a few months ago.)

“Every financial institution has to have a plan in place [in the event of a breach]. And they need to be able to execute it from muscle memory. It’s like if you’re on a nuclear submarine and you get the signal [to launch], that’s trained into you what to do next,” Levin advises.

That plan has to include 24/7 monitoring of systems for anomalous behavior and continuous employee training so policies and procedures are drilled into them, he says. Banks are going to have to be prepared for serious damage control.

“The companies that have best survived data breaches -- the ones that weren’t litigated into the stone age -- they responded very quickly, transparently, and with empathy. And that empathy part is incredibly important, since many customers already have a love/hate relationship with their bank,” Levin notes.

In addition to constant monitoring and employee training, banks need to educate their customers and help get them signed up for transaction monitoring services. “That’s the ultimate early alert for the customer, and it helps the bank stop the bleeding early,” he says.

New solutions are also going to have to be adopted for security, Levin suggests. “At some point I think biometrics will have to play a bigger role. Passwords and usernames are going to have to be gone. And information segmentation is going to be critical,” he points out. Reforming existing security measures and adopting new ones will cost more money, but banks have to realize that they’re in an arms race, and the hackers seem to have the advantage.

“In the old days, someone robbed a bank and then they took some time off. Today’s thief is working 24/7 obsessively on one target. Plus hackers can be in countries where the US doesn’t have jurisdiction, or can even be supported by the government. They can have unlimited resources,” he notes.

It seems reasonable to assume that heightened investment in cyber security is going to be the cost of doing business if the hackers have that kind of time and resources on their hands. “As much as every bank likes to announce big earnings… there’s no point in showing great earnings one quarter, and then getting a major breach in the next one,” Levin remarks.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
9/5/2014 | 12:56:46 PM
Re: Too Many Copies of Data
That's a very good point. Tht customer data is the crown jewels for a financial institution. They have to be protected from being accessed through the most vulnerable parts of the organization's network at all costs.
jsantangelo101
50%
50%
jsantangelo101,
User Rank: Apprentice
9/2/2014 | 12:14:59 PM
Too Many Copies of Data
Many if not most large financial organizations have many copies of data which are prone to hackers.  These need to be carefully cataloged and addressed.  Which should be removed and which should remain.  Of the remainders, how many need real data and how many can have masked data?  

 

Making sense of the vast amounts of data that exist will result in a smaller "hackable footprint" and force hackers to go after a smaller better defeneded target area.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology Dec. 2, 2014
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.