Gartner Blog Network


Big Banks hit by CyberAttacks – Alarming but not Surprising

by Avivah Litan  |  August 28, 2014  |  2 Comments

Today’s headlines report that big banks have been hit by cyberattacks, according to the FBI. While this news is alarming, it certainly is not surprising.

Hackers are always probing bank systems and even a year ago or so, law enforcement authorities and regulators put out an advisory to banks about criminals hacking into bank employee accounts to infiltrate their computer networks, and in some selected cases to steal funds.

Frankly, this isn’t new news – it’s just the culmination of old news. I imagine that the authorities and security staff never were able to eliminate the hackers from their systems. They have probably been in there for years, and there have probably been multiple actors, ranging from financial hackers to state sponsored cyberspies.

Wake Up Call

But this should serve as a loud wakeup call for bank Boards to elevate security to the top of their agenda, and to make sure their security staff (e.g. the CISO) are doing everything they can to secure the business. They also need to make sure the CISO and IT staff have the business support they need to make it all happen.

Organizational issues – as opposed to the technology issues — are generally the main impediments to successful defense of the bank’s assets. Organizations need to be aligned in order to properly defend themselves from cyber-attacks. Senior and board level management need to support security initiatives directly by getting involved, and not just leaving it to the CIO or CISO to figure out. These IT and IS executives can’t do their jobs without business support. And that has to come from the board level, given the siloed nature of these large bank organizations.

What’s the Damage?

While this is cause for alarm, in a sense we should all be prepared for this. When it comes to financial assets being stolen, the banks have strong safeguards in place and can shut down wire and money transfer systems if they need to before too much damage is done. So, for example, some unauthorized money transfers could certainly take place, but they would be limited in number if the criminals attempted a mass attack against the money transfer systems. (Of course the stock market would have an extreme negative reaction if this occurred – hopefully that would be short lived).

As far as the data – it’s safe to say we must assume all our financial information is subject to theft, as are simple credentials such as passwords. That certainly is not a good situation and banks, intel agencies and other enterprises must do a better job at protecting sensitive data. But I see a lot more money spent on preventing the USE of stolen data than I do on preventing the theft of the data itself – for simple economic reasons, i.e. the use of stolen data directly affects the company’s bottom line. The theft of data generally doesn’t have that impact unless it’s disclosed to the public since the stolen data is generally used at another enterprise.

Most large financial institutions have spent considerable sums on fraud detection systems that prevent the use of stolen data. They are certainly not perfect, but they do catch the majority of fraud attempts. It’s the small financial institutions and their third party processors that we should be worried about because they are not securing their systems as well as they should be.

So while it makes me nervous that this is happening, I do believe the large financial services companies can protect their and our financial assets such that a massive robbery cannot take place. And as noted it’s safe to assume information is no longer confidential and we just have to compensate for that by preventing the use of stolen information for illicit purposes. It’s just the new world order.

Additional Resources

Category: 

Avivah Litan
VP Distinguished Analyst
19 years at Gartner
34 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Ms. Litan's areas of expertise include endpoint security, security analytics for cybersecurity and fraud, user and entity behavioral analytics, and insider threat detection. Read Full Bio


Thoughts on Big Banks hit by CyberAttacks – Alarming but not Surprising


  1. […] a blog posted just after news of the alleged attack broke, Litan states: “Hackers are always probing […]

  2. Karsten Scherer says:

    Thanks, Avivah, insightful read. I remember seeing a slide up at Gartner’s security summit earlier this year ranking CIO priorities, with ecurity as a stand-alone ranking ‘only’ eighth, while initiatives like BI, ERP or Mobile were closer to the sun. It struck me that, looking more closely at numbers 1-7, they all have massive security implications.Taking BI, for instance – right away, security becomes a concern whenever private corporate data is accessed. So are companies performing surface area reductions? Do they have a decent authentication strategy, granular permissions etc.? Every one of these high profile initiatives contains a major security component. The organizational issues being a root cause as opposed to technology issues rings true. Hopefully that is changing – an analyst at the security summit told me that that there were more CIOs in attendance at the 2014 conference than ever before, as well as more representatives from the biz

    Perhaps that’s a sign that what’s often considered as the divide between CIO and CISO and IT and business is shrinking. High profile examples like Target no doubt are contributing to that – no CIO wants to see his or her company’s name in the paper for the wrong reasons, and many are shifting behavior accordingly.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.