The recently uncovered theft of data from 76 million households held on the web servers of the largest bank in the United States, JPMorgan Chase, has once again highlighted the massive issue of cyber-security. The bank reportedly already spends $250 million a year on its security defences and is now considering doubling that spend in further efforts to protect their information systems.
The attack on JPMorgan Chase reportedly involved the theft of a security certificate from the service company that ran the website for the JPMorgan Corporate Challenge. This allowed the hackers, thought to be a Russian or Eastern Europe criminal network, to steal usernames and passwords from visitors to the online platform for charitable events sponsored by the bank. These credentials, many of which related to bank employees, were then used to access entirely separate systems run by the bank itself.
The JPMorgan Chase security breach is still being investigated, but if this reported chain of events is accurate it suggests that the breach may well have been contributed to by some bank employees using the same usernames and passwords on their work systems as they did on the external charity website. This example powerfully illustrates the fact that millions of dollars worth of traditional security measures, such as anti-virus software and firewalls, can be completely undermined by basic lapses in security by individual employees.
As the perimeter security of organisations increases, cyber attackers are increasingly switching their attention away from security hardened infrastructure and towards the much weaker area of company employees. With so much information regarding individuals available online, the most common way to exploit employees is to send a phishing e-mail that invites them to click on a link or attachment which allows the hackers to jump right over the perimeter security systems. Security technology will catch most, but not all, of these messages. Assessments of the success of such invitations suggests that as many as 90 per cent of employees may be susceptible to such attacks.
To combat this threat, employee security awareness training needs to take place on a regular basis to teach employees to think before they click, begin to recognise bogus e-mails and automatically report phishing e-mails to the correct department immediately they become suspicious. At Crises-Control we call this ‘building responsive employees’ and we have built into the app the functionality to send and track priority messages to employees and report back to the client on how responsive each employee is to the action they have been tasked with. Don’t forget, you are only a strong as your weakest link.