make a good business better

Resource Center better insights

Print Divider Print Divider Branding

After Chase breach, what banks can do to protect themselves

10/06/2014  |  By: Jason Riddle, CISSP, President, Information Security


Social Logo Social Logo Social Logo Social Logo

As featured in the Nashville Business Journal.

JPMorgan Chase said last week hackers accessed personal data for 76 million customers and 7 million small businesses.

The New York Times reports about nine other financial institutions also were impacted by the same hackers. In JPMorgan’s case, hackers accessed names, addresses, phone numbers and email addresses of account holders.

A JPMorgan spokesperson said more sensitive information is safe. No passwords, user identifications, account numbers or social security numbers were compromised.

“With the largest bank in the nation, one would presume they’re better equipped for this type of thing,” said Jason Riddle, practice leader for managed security services at LBMC in Nashville. “If they can’t defend against this effectively, what does this mean for the smaller to medium sized companies?”

Riddle outlined several things financial institutions need to protect themselves moving forward, though he admits, breaches like JPMorgan’s are “more a matter of when than if.”

Have a good inventory of sensitive information

For starters, bank “need to understand what sensitive information they have,” Riddle said. He notes that sometimes things like “intellectual property don’t come to mind," but need to be taken into account.

Understand the most likely threats

On top of knowing what sensitive material banks have on file, Riddle said they “need to understand the risks associated with them and what the most likely threats” will be. In the form of banks, he said, those likely will be targeted toward access into financial accounts.

Implement a monitoring system

“What we’re seeing over and over again, hackers are ultimately able to succeed with one of their attacks,” Riddle said. He said monitoring and identifying when systems are attacked is crucial.

Generating a response plan

While companies can put processes in place to prevent breaches, it is important to have a response plan ready just in case, Riddle said.

Even for smaller banks, Riddle says: “It’s fairly achievable.”

“We work with several [banks]. They have the preventable controls, but where they have the ability to improve is the operations and the response to when it does happen,” Riddle said. “This is going to continue to happen. … It’s critical to have a good response plan [in the likelihood] this actually happens.”