Blog post

Big Banks hit by CyberAttacks – Alarming but not Surprising

By Avivah Litan | August 28, 2014 | 1 Comment

Today’s headlines report that big banks have been hit by cyberattacks, according to the FBI. While this news is alarming, it certainly is not surprising.

Hackers are always probing bank systems and even a year ago or so, law enforcement authorities and regulators put out an advisory to banks about criminals hacking into bank employee accounts to infiltrate their computer networks, and in some selected cases to steal funds.

Frankly, this isn’t new news – it’s just the culmination of old news. I imagine that the authorities and security staff never were able to eliminate the hackers from their systems. They have probably been in there for years, and there have probably been multiple actors, ranging from financial hackers to state sponsored cyberspies.

Wake Up Call

But this should serve as a loud wakeup call for bank Boards to elevate security to the top of their agenda, and to make sure their security staff (e.g. the CISO) are doing everything they can to secure the business. They also need to make sure the CISO and IT staff have the business support they need to make it all happen.

Organizational issues – as opposed to the technology issues — are generally the main impediments to successful defense of the bank’s assets. Organizations need to be aligned in order to properly defend themselves from cyber-attacks. Senior and board level management need to support security initiatives directly by getting involved, and not just leaving it to the CIO or CISO to figure out. These IT and IS executives can’t do their jobs without business support. And that has to come from the board level, given the siloed nature of these large bank organizations.

What’s the Damage?

While this is cause for alarm, in a sense we should all be prepared for this. When it comes to financial assets being stolen, the banks have strong safeguards in place and can shut down wire and money transfer systems if they need to before too much damage is done. So, for example, some unauthorized money transfers could certainly take place, but they would be limited in number if the criminals attempted a mass attack against the money transfer systems. (Of course the stock market would have an extreme negative reaction if this occurred – hopefully that would be short lived).

As far as the data – it’s safe to say we must assume all our financial information is subject to theft, as are simple credentials such as passwords. That certainly is not a good situation and banks, intel agencies and other enterprises must do a better job at protecting sensitive data. But I see a lot more money spent on preventing the USE of stolen data than I do on preventing the theft of the data itself – for simple economic reasons, i.e. the use of stolen data directly affects the company’s bottom line. The theft of data generally doesn’t have that impact unless it’s disclosed to the public since the stolen data is generally used at another enterprise.

Most large financial institutions have spent considerable sums on fraud detection systems that prevent the use of stolen data. They are certainly not perfect, but they do catch the majority of fraud attempts. It’s the small financial institutions and their third party processors that we should be worried about because they are not securing their systems as well as they should be.

So while it makes me nervous that this is happening, I do believe the large financial services companies can protect their and our financial assets such that a massive robbery cannot take place. And as noted it’s safe to assume information is no longer confidential and we just have to compensate for that by preventing the use of stolen information for illicit purposes. It’s just the new world order.

Comments are closed

1 Comment

  • Karsten Scherer says:

    Thanks, Avivah, insightful read. I remember seeing a slide up at Gartner’s security summit earlier this year ranking CIO priorities, with ecurity as a stand-alone ranking ‘only’ eighth, while initiatives like BI, ERP or Mobile were closer to the sun. It struck me that, looking more closely at numbers 1-7, they all have massive security implications.Taking BI, for instance – right away, security becomes a concern whenever private corporate data is accessed. So are companies performing surface area reductions? Do they have a decent authentication strategy, granular permissions etc.? Every one of these high profile initiatives contains a major security component. The organizational issues being a root cause as opposed to technology issues rings true. Hopefully that is changing – an analyst at the security summit told me that that there were more CIOs in attendance at the 2014 conference than ever before, as well as more representatives from the biz

    Perhaps that’s a sign that what’s often considered as the divide between CIO and CISO and IT and business is shrinking. High profile examples like Target no doubt are contributing to that – no CIO wants to see his or her company’s name in the paper for the wrong reasons, and many are shifting behavior accordingly.