Today’s headlines report that big banks have been hit by cyberattacks, according to the FBI. While this news is alarming, it certainly is not surprising.
Hackers are always probing bank systems and even a year ago or so, law enforcement authorities and regulators put out an advisory to banks about criminals hacking into bank employee accounts to infiltrate their computer networks, and in some selected cases to steal funds.
Frankly, this isn’t new news – it’s just the culmination of old news. I imagine that the authorities and security staff never were able to eliminate the hackers from their systems. They have probably been in there for years, and there have probably been multiple actors, ranging from financial hackers to state sponsored cyberspies.
Wake Up Call
But this should serve as a loud wakeup call for bank Boards to elevate security to the top of their agenda, and to make sure their security staff (e.g. the CISO) are doing everything they can to secure the business. They also need to make sure the CISO and IT staff have the business support they need to make it all happen.
Organizational issues – as opposed to the technology issues — are generally the main impediments to successful defense of the bank’s assets. Organizations need to be aligned in order to properly defend themselves from cyber-attacks. Senior and board level management need to support security initiatives directly by getting involved, and not just leaving it to the CIO or CISO to figure out. These IT and IS executives can’t do their jobs without business support. And that has to come from the board level, given the siloed nature of these large bank organizations.
What’s the Damage?
While this is cause for alarm, in a sense we should all be prepared for this. When it comes to financial assets being stolen, the banks have strong safeguards in place and can shut down wire and money transfer systems if they need to before too much damage is done. So, for example, some unauthorized money transfers could certainly take place, but they would be limited in number if the criminals attempted a mass attack against the money transfer systems. (Of course the stock market would have an extreme negative reaction if this occurred – hopefully that would be short lived).
As far as the data – it’s safe to say we must assume all our financial information is subject to theft, as are simple credentials such as passwords. That certainly is not a good situation and banks, intel agencies and other enterprises must do a better job at protecting sensitive data. But I see a lot more money spent on preventing the USE of stolen data than I do on preventing the theft of the data itself – for simple economic reasons, i.e. the use of stolen data directly affects the company’s bottom line. The theft of data generally doesn’t have that impact unless it’s disclosed to the public since the stolen data is generally used at another enterprise.
Most large financial institutions have spent considerable sums on fraud detection systems that prevent the use of stolen data. They are certainly not perfect, but they do catch the majority of fraud attempts. It’s the small financial institutions and their third party processors that we should be worried about because they are not securing their systems as well as they should be.
So while it makes me nervous that this is happening, I do believe the large financial services companies can protect their and our financial assets such that a massive robbery cannot take place. And as noted it’s safe to assume information is no longer confidential and we just have to compensate for that by preventing the use of stolen information for illicit purposes. It’s just the new world order.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.