The United States is losing the war on cyberhacking. If there was any doubt beforehand, the recent revelation that hackers broke into JPMorgan Chase's systems this summer, compromising the personal information of 76 million households and seven million businesses, should be proof.
Like many high-priority targets, JPMorgan declared after falling victim to hackers that it would dramatically increase its information-security spending by some $50 million, bringing its total expenditures in that category to approximately $250 million per year. That's too much money, too late. JPMorgan and other banks can better protect customers by putting into place practices that help prevent cyberattacks in the first place.
There are several key measures that would cost banks far less money to implement than taking remedial measures after an attack. Exfiltration tracing validates outbound data before it leaves the firm, ensuring that only properly authenticated users gain access to information. Instituting mandatory password expirations for internal systems can help thwart hackers who use interconnected computers within a firm to disguise nefarious activities. And banks can more closely guard account information by tokenizing transactions so that customers must enter a bank-generated random number or plug in a bank-provided USB key in addition to providing their identification credentials. All of these tactics would help bring about more secure transactions between banks and their customers.
Another area for improvement is the process by which banks audit their information technology. Auditors cannot cover an entire banking application in a single audit and rely on random sampling to get estimates about a bank's security profile. The problem is that auditors fail to vary their sampling techniques frequently enough to ensure a wider test of system security. Banks shouldn't try to be in compliance with an IT audit they should exceed it.
A final issue is that corporate policies meant to keep cybercrime in check are almost never universally followed. Staffers may plug external thumb drives into work computers without thinking twice about whether it's been previously exposed to other systems or if they're violating company policy. It's equally common for employees to walk away from their computers without logging out in order to retrieve a cup of coffee, during which time someone could type a command to open a back-channel or port. Companies should more closely monitor adherence to security measures and make sure that there are repercussions when rules are broken.
Today's top banking executives are not doing everything they can to combat a pervasive problem that will only grow fiercer with time. Strong policies can keep cybercrime in check, and it's crucial that senior management ensure policies are up to date, understood by all and frequently tested.
James Gabberty is a professor of information systems at Pace University in New York City and consultant to the information security industry.