Why It's Important: Financial institutions have increasingly come under siege from hacktivist attacks. Bank of America, JPMorgan Chase, NYSE, PNC and Wells Fargo recently all received threats, with some of these firms seeing periodic website outages that have affected tens of thousands of customers and generated a barrage of negative headlines.
Meanwhile, firms are increasingly letting employees bring their own smartphones to work and aren't doing a very good job securing these devices. Financial firms aren't alone with this challenge: As Apple prepared to launch the iPhone 5 in September, rumors emerged that a group of hackers had leaked a million ID numbers from Apple devices.
According to the Ponemon Institute, 74 percent of the 600 IT professionals it interviewed on the issue of hacking following the recent spate of attacks against banks said it's difficult to distinguish between a real customer and a criminal accessing the company website.
Where the Industry Is Now: There's been a dramatic rise in hacktivism recently in the name of anti-globalization and anti-Wall Street protests, as well as pro-religious groups that want to steal data and embarrass companies to make political points. Nearly 70 percent of IT professionals that Ponemon polled said they don't have the necessary technology to deal with the problem. Having real-time visibility into website traffic is key to detecting attacks, but more than half of respondents said they don't have this functionality.
Focus for 2013: Firms must think beyond technology: They need to react to attackers by understanding how the bad guys behave. They need to consider which areas of the world attacks will potentially come from, in order to stop hacks before they hit a company's firewall. "If you're just going through a checklist without prioritizing risk on the basis of what the likely attack is, you're shooting in the dark," says Eric Friedberg, co-president, Stroz Friedberg, a global digital risk management and investigations firm.
[The Geo-Political Knowledge And Expert Skills Needed to Combat Hacktivist Attacks]
Firms also must vet which apps their employees can download on their smartphones, while also running tests to detect whether the devices they use are already infected. This process alone adds a significant layer of complexity.
To avoid website outages, banks need multiple points of presence on the Internet, making it more difficult for hackers to cause wide-scale damage. One way financial firms can do this is by having separate regional websites rather than one central site.
To combat distributed denial-of-service attacks, firms also must be able to filter traffic based on signatures and other criteria, like a junk filter, and balance the traffic load across many servers so that the functionality of their sites doesn't slow down, Friedberg says.
Banks also must have up-to-date patch management systems that include testing and installing code changes, and they should only retain records that are needed to do business.
Intrusion detection, or having red flags go up when you're under attack, is also key. In addition, it's critical for banks to have highly skilled staff that know how to identify and respond to attacks. IT engineers must be able to interpret large data sets of logs and intrusion detection information, as well as carry out reverse engineering of malware when they discover an attack in order to analyze code, see what the attacker will do with the it and limit any damage, Friedberg says.
Regulators can also help by encouraging the use of security best practices. "The nature of distributed denial-of-service attacks isn't necessarily a flaw of banks but of the Internet as a whole," says Alex Horan, senior product manager at Core Security. "It's not so much a technical solution but a regulatory solution that's needed."
Price Tag: Two-thirds of the 600 IT survey participants the Ponemon Institute polled said their companies lost from 1 percent to 4 percent of revenue as a result of business logic abuse, which is precision hacking based on a flaw in the functionality of a company's website. About a quarter of respondents said their organizations lost more than 5 percent of revenue.