The Nasdaq posted an article on their web site from Dow Jones that talks about the big banks’ fight against hackers and malware. While the article quotes the Association of Corporate Counsel statistic that 30% of data breaches are due to employee error, I think that number is significantly understated.
While this article is about banks, it is equally applicable to every other business.
Here are some tidbits about what the big banks are doing and you might consider:
- J.P. Morgan Chase sends out fake phishing emails to its employees periodically. A few weeks after they were hit with an insider breach that compromised more than 75 million records, they sent out a test phish. 20% of their employees fell for the email. Chase is not disclosing what they are doing about it. They did announce that they will be spending about $500 million on cybersecurity this year.
- Chase is now PROHIBITING employees from using their work emails for personal use such as registering on shopping sites or social media. This is a big turnaround from just a few years ago when those policies were relaxed. Of course, at most companies, if I know your name, I can figure out your email because emails are standardized. If I work for Chase, I can’t have my email address be BigRedTruck@Chase.com . The only time there is any question about what my email would be at most companies is if there are two people with exactly the same name. If companies used accounts like firstname.lastname@example.org and kept their directories as private as possible, they would at least make phishers work a little bit.
- Bank of America’s CEO Brian Moynihan said that their cybersecurity budget is effectively unlimited and they are increasing their focus on employees. He said that they are hard on their employees – they even discourage out of office notices on email and voicemail so that hackers cannot easily tell if an account is not being monitored at the moment. This is a tradeoff with customer service, but you can get around that by having a coworker check your voice mail using a temporary password and check your email by delegating authority (WITHOUT sharing your domain password) for them to see your email.
- Wells Fargo CEO John Stumpf that they are spending an “ocean” of money and it is the only expense where he asks if they are spending enough. They declined to put a number to it, however.
- As is well documented, LinkedIn is a great tool for hackers and is often one of the first sites I check when I am “checking out” a company. Attackers get names, companies, job titles, job descriptions, software experience, etc. Companies are trying to figure out what the balance should be between security and personal rights. Social media (particularly Facebook) is also a great place to go to find out who is out of town, where they are going and sometimes even how long they will be gone. This is very helpful if you want to break into their house or steal their mail. In fact, some insurance companies have started to deny coverage based on social media posts. MY recommendation is not to post anything until after you are back from a trip.
- TD Bank is also sending out fake phishing emails to employees. If they click on the link, they get a video explaining what they did wrong. The videos get a workout!
- Even small banks are working on improving personnel awareness. Pinacle Financial Partners sends out phishing emails to its employees every quarter and even though employees know this, a small percentage still click on the links.
As i said earlier, this advice applies to any business. Those that handle money, of course, should already be sensitive, but companies that have intellectual property (which would be almost any business) should also be nervous. Intellectual property includes customers lists, contracts, proposals, technology and many other things that would be useful to a competitor or adversary. The hackers that stole 75+ million records from Chase did it to facilitate insider trading and made several hundred million dollars before they got caught. Whether Chase got any of that money back is unknown, but I doubt it. it is unlikely that money is in any country friendly to the U.S. Even if they spend a few years in jail, it will be comforting to know that when they get out and go to, for example, the Caymans, they will be able to live out the rest of their lives in luxury.
Just food for thought.
Find link to the article at the Nasdaq web site.