The Weakest Link in Banks' Fight Against Hackers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nasdaq.com/article/the-weakest-link-in-banks-fight-against-hackers-20151220-00001

Terrified by a string of recent hacks, banks are spending billions of
dollars trying to fend off a faceless army of digital intruders.

But the biggest threats may come from within.

Several banks are also increasingly testing whether their employees
unintentionally leave them susceptible to hackers by falling prey to
"spear-phishing" attempts, in which criminals lure recipients to click on
links. Those links often contain malware that allows hackers to access
passwords or other sensitive information.

Weeks after J.P. Morgan Chase & Co. was hit with a massive data breach that
exposed information from 76 million households, the country's biggest bank
by assets sent a fake phishing email as a test to its more than 250,000
employees. Roughly 20% of them clicked on it, according to people familiar
with the email.

A J.P. Morgan representative declined to comment on the bank's efforts
since then to prevent employees from clicking on emails that could expose
data. The company prohibits employees from using their work email addresses
for personal use, such as registering for shopping sites or social-media
accounts like LinkedIn, according to a company memo issued after the hack.

The bank has said it expects to spend about $500 million on cybersecurity
in 2016, roughly double the amount it spent in 2014.

While companies across all industries increasingly focus on cybersecurity,
banks are in a unique position because they safeguard so much sensitive
customer information as well as huge sums of money.

Bank of America Corp. Chief Executive Brian Moynihan has said his firm's
cybersecurity budget is effectively unlimited and that the bank is
increasingly focusing on its workers.

"We spend a lot of money, we're difficult with our employees in terms of
what their behavior is to make sure they help keep us clean," Mr. Moynihan
said at an industry conference last month.

The bank is among those discouraging employees from using out-of office
features on voice mail and email because they could alert criminals to
unattended computers, said a person familiar with the company.

Wells Fargo & Co., the world's biggest bank by market capitalization, is
also ramping up spending.

"We spend an ocean of money" on cybersecurity, said Wells Fargo CEO John
Stumpf in a recent interview. "It is the only expense where I ask if it's
enough." A spokeswoman declined to quantify the firm's budget.

Banks are having a more difficult time determining how far to go in
tracking the behavior of their employees on social-media websites where
someone might post details about their job responsibilities that hackers
could use to determine who is an organization's best target. The situation
can get more delicate when it involves postings of a personal nature, such
as vacation pictures that could provide an opening for a criminal to break
into their home and steal their work laptop, cyberexperts said.

Overall, some 30% of data breaches this year resulted from employee error,
according to a survey released this month by the Association of Corporate
Counsel.

"They don't know that what they're doing is increasing the risk for their
organization," said Theodore J. Kobus III, a lawyer specializing in data
security at BakerHostetler in New York.

In addition to the J.P. Morgan hack from 2014, Morgan Stanley was the
victim of a recent high-profile breach as well. In that incident, a
financial adviser illegally accessed client data and took the information
home with him. The adviser, Galen Marsh, pleaded guilty to a felony in
September and is awaiting sentencing.

Prosecutors initially suspected Mr. Marsh was also involved in some of the
client data being posted online, which he denied. It was disclosed in court
papers this month that Morgan Stanley officials believe Russian hackers
gained access to Mr. Marsh's home computer, swiped the client data and
posted it online.

Morgan Stanley has declined to comment further.

For hackers, spear phishing--increasingly in emails that appear to be from
a high-ranking bank executive to an employee--remains a core tactic.

The Federal Bureau of Investigation's cyber office in New York is receiving
complaints about such phishing attacks "on almost a daily basis," said
Richard Jacobs, an assistant special agent in charge who handles
cybercrimes.

TD Bank, the Canadian-owned financial-services company that has roughly
1,300 branches in the eastern U.S., this year began sending simulated
phishing attacks to employees that involved scenarios such as telling
employees to click on a link to receive a package or to download a form
from the human-resources department.

Anyone who clicks on the phony link sees a video pop up that alerts them to
the test and tells them how they should have handled the situation. "Our
purpose isn't to scare people," said Glenn Foster, head of TD's
cybersecurity.

Employees who fall for the phishing attempt are likely to receive another
fake email soon, he added.

Even small banks are targeting their own employees' behavior. Pinnacle
Financial Partners Inc., which has roughly $ 6 billion in assets, sends
fake phishing emails to its 1,100 employees every three months or so. "They
all joke about it," said Clayton Weber, director of information security at
the Tennessee bank.

Even though the employees know the bank regularly tests them, he said,
roughly 2% click on the fake phishing email.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!