Banks are spending billions to battle cyber attacks, according to the Wall Street Journal. Much of the efforts focus on employees who unintentionally expose information to hackers. Many banks are now banning workers from using USB drives, warning them to be careful about what they post on social media, and telling them not to put “out of office” replies on emails. They are even sending fake spear phishing emails to see how many employees open them.
J.P. Morgan Chase & Co. sent a fake phishing email to more than 250,000 employees after getting hit with a breach that exposed data from 76 million households. About 20% of the employees clicked on the email.
J.P. Morgan Clamps Down After Breach
J.P. Morgan did not comment on the phishing test, but a memo issued following the hack prohibits employees to use work email addresses for personal use, including registering for social media accounts or shopping sites.
J.P. Morgan expects to spend around $500 million in 2016 on cyber security, twice the amount spent in 2014.
Brian Moynihan, chief executive at Bank of America Corp., said the company’s cybersecurity budget is essentially unlimited, and the focus is increasingly on the employees. The bank discourages employees from using out-of-office voicemail and email features since they can alert criminals to unattended computers, a person familiar with the company said.
Wells Fargo & Co. spends an “ocean” of money on cybersecurity, according to CEO John Stumpf in a recent interview. A spokesperson declined to give an actual budget number.
Tracking Employee Behavior Gets Tricky
Banks are finding it hard to decide how far to go to track employee behavior on social media websites where information might get posted that hackers could use to determine the best target in an organization. The situation becomes more difficult for banks if it involves postings that are personal in nature like vacation pictures that can give criminals an opportunity to break into the person’s home and nab their laptop, according to cyber experts.
A survey by the Association of Corporate Counsel reported that about 30% of data breaches come from employee error. Theodore J. Kobus III, an attorney at BakerHostetler in New York who specializes in data security, said employees don’t realize their actions increase their organization’s risk.
Morgan Stanley suffered a high-profile breach recently in which a financial adviser illegally accessed client data and took it home. Galen Marsh, the adviser, pled guilty to a felony charge in September and awaits sentencing. Prosecutors suspect he was behind client data that was posted online, which he denied. Morgan Stanley officials think Russian hackers gained access to his home computer and posted the client data online.
A core hacker tactic remains spear phishing. Emails that appear to be from a high ranking official sent to an employee are increasing.
Also read: U.S. & U.K. banks’ cybersecurity capabilities put to the test
Spear Phishing On The Rise
Richard Jacobs, an assistant FBI special agent who handles cybercrimes, said the office is getting complaints about spear phishing almost daily.
TD Bank Group, a Canadian financial services firm with branches in the eastern U.S., sent fake phishing emails to employees that included instructions to click a link to get a package or to download a human resource department form. Those who clicked on the link then saw a video that alerted them to the test and advised them how they should have handled it. Those who clicked the email are likely to receive another one soon, said Glenn Foster, head of the company’s cybersecurity.
Some small banks are following suit. Pinnacle Financial Partners Inc. of Tennessee sends fake phishing emails to its employees every three months, according to Clayton Weber, director of information security. Even though the employees know they are being tested, about 2% still click on the fake phishing email.
Images from Shutterstock.