'There Will Be Battles. Some Will Be Lost'

battles-security-alert-full2.jpg

This article is from the annual FinTech Forward special report.

The alarming growth in data breaches and other forms of cybercrime against cardholders and financial services firms has pushed security to the top of IT budgets. Banks already spend $2,500 per employee on cybersecurity, according to a recent PwC report. JPMorgan Chase Chief Executive Officer Jamie Dimon says the biggest U.S. bank plans to double its $250 million annual computer-security budget within the next five years. He announced this shortly after the bank disclosed in August that hackers had exposed contact information of 76 million households and 7 million small businesses.

"It's about firewall protection, it's about internal protection, it's about vendor protection, it's about everything that hooks up into you," Dimon said in his first public appearance since beginning treatment for throat cancer. "There will be a lot of battles. Unfortunately, some will be lost."

The bank is not alone. An American Banker Research survey found that 20% of banks are considering investing in new security solutions in 2015.

"You will see increased investments in security," said Paul Smocer, president of BITS, the security arm of the Financial Services Roundtable. "That comes on top of already significant investment in this space. It's an evolutionary battle, not something that came up overnight."

The risks for banks are mutating, he pointed out. "Ten years ago, it was the hacker kid in the basement, then semi-organized crime, now it's nation-state supported efforts," he said.

Others also see heightened awareness of security in the industry.

"I've gone to plenty of meetings with CIOs that have a big sense of urgency that I didn't see a year ago," said Avivah Litan, a vice president at Gartner Research. "Usually the media gets people focused -- I think they're more worried about showing up in the news than about security per se."

In the coming year banks will invest in legal engagements, consulting and compliance initiatives as well as tech purchases, according to Litan.

"I don't think it's a matter of spending more money, it's a matter of spending money more wisely on the solutions," Litan said.

Traditionally in security, a lot of money is spent on perimeter defenses, such as firewalls, end point protection systems and web gateways that keep bad actors out of the enterprise. But new approaches are needed, Litan said.

"There's not enough money being spent on looking for anomalous behavior," she said, referring to fraud analytics software that looks for strange behavior in customers' transactions and digital banking habits. "There's also not enough money being spent on people — screening your employees, your contractors, everyone you deal with more aggressively on a risk basis." She also believes banks ought to be more diligent about security awareness programs.

In addition to JPMorgan Chase's increased investment in security technology, Dimon also alluded to another trend likely to continue into the next year: an increase in information sharing among banks about security threats.

Banks need to work with each other to help fend off hackers, and a legal safe harbor could be needed to foster more cooperation, Dimon said.

BITS, for one, has been working with the Financial Services Information Sharing and Analysis Center to gather information about attacks, to help members fortify their defenses.

"There are a lot of industry efforts underway, there's a partnership we have with the merchant community, to try to figure out ways to reduce risk," Smocer said.

The primary threats against banks have morphed from the waves of distributed denial of service and phishing attacks of a few years ago to malware attacks on retailers' unprotected terminals (affecting bank cards) and bank employees' insufficiently protected computers.

In addition to behavior analytics, banks will need to consider a host of solutions to track who's trolling their networks.

For reprint and licensing requests for this article, click here.
Bank technology Fintech
MORE FROM AMERICAN BANKER