Banks have historically been at the forefront of IT security, but even the best defenses might not be enough in today’s environment of unending data breaches. Last week, Bloomberg News broke the story of a major cyber attack that had infiltrated JPMorgan Chase’s network, and possibly that of other major financial institutions.
The breach of JPMorgan Chase seems to have resulted from a malware infection on an employee’s personal computer via a phishing attack, according to media reports. Hackers then penetrated the bank’s network through a VPN from the infected computer.
“This points out -- it doesn’t matter how good your security is -- human error can bring you down,” says Adam Levin, founder and chairman of IDT911, a data security solutions provider. “These spear-phishing emails keep getting more sophisticated. It was reported that RSA got breached by one about a year ago. And RSA is arguably the most secure company in the world.”
[For more on data breaches: What Banks Can Learn from the Target Breach.]
Banks may now need to come to grips with an environment where breaches are inevitable, regardless of their huge investments in cyber security. (JPMorgan Chase said it would raise its cyber security investment to $250 million this year in a letter to shareholders a few months ago.)
“Every financial institution has to have a plan in place [in the event of a breach]. And they need to be able to execute it from muscle memory. It’s like if you’re on a nuclear submarine and you get the signal [to launch], that’s trained into you what to do next,” Levin advises.
That plan has to include 24/7 monitoring of systems for anomalous behavior and continuous employee training so policies and procedures are drilled into them, he says. Banks are going to have to be prepared for serious damage control.
“The companies that have best survived data breaches -- the ones that weren’t litigated into the stone age -- they responded very quickly, transparently, and with empathy. And that empathy part is incredibly important, since many customers already have a love/hate relationship with their bank,” Levin notes.
In addition to constant monitoring and employee training, banks need to educate their customers and help get them signed up for transaction monitoring services. “That’s the ultimate early alert for the customer, and it helps the bank stop the bleeding early,” he says.
New solutions are also going to have to be adopted for security, Levin suggests. “At some point I think biometrics will have to play a bigger role. Passwords and usernames are going to have to be gone. And information segmentation is going to be critical,” he points out. Reforming existing security measures and adopting new ones will cost more money, but banks have to realize that they’re in an arms race, and the hackers seem to have the advantage.
“In the old days, someone robbed a bank and then they took some time off. Today’s thief is working 24/7 obsessively on one target. Plus hackers can be in countries where the US doesn’t have jurisdiction, or can even be supported by the government. They can have unlimited resources,” he notes.
It seems reasonable to assume that heightened investment in cyber security is going to be the cost of doing business if the hackers have that kind of time and resources on their hands. “As much as every bank likes to announce big earnings… there’s no point in showing great earnings one quarter, and then getting a major breach in the next one,” Levin remarks.
Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio