By Nikos Chrysoloras Nov 12, 2014
5:06 AM ET
(Corrects
PricewaterhouseCoopers spelling in 4th paragraph in story published on Nov. 5.)
Banks need to put more
money into combating hackers who have the potential to wreak havoc throughout
the continent, the director of the European Union’s cyber security agency said.
“We don’t know if
there are criminals trying to attack a power plant, or the banking system and
cut off all ATM machines,” said Udo Helmbrecht,
executive director of the European Network and Information Security Agency,
or ENISA. “The probability is low, but it’s doable.”
A group of
sophisticated Russian hackers rifled the computer banks of JPMorgan Chase & Co. (JPM) unhindered
for more than two months this summer and attacked at least 13 other U.S. and
European financial institutions with mixed success. The bank later disclosed
that the hackers stole the names and contact information of 83 million customers
but did not access account numbers or passwords.
U.S. banks and
financial firms already spend as much as $2,500 per employee on cybersecurity
compared with $400 by retail and consumer companies and $200 at education
companies, according to a study this
year by PricewaterhouseCoopers LLP.
With a “‘little more,
you can gain a lot’’ in relation to the attacker, Helmbrecht, 59, said in an
interview in Athens.
The industry doesn’t
seem to have opted for measures creating ‘‘a level of security that would make
it unreasonable for the criminal to attack it, because it’s too expensive,”
Helmbrecht said. “It has to be just a bit above the level that the criminal
says it’s not worth it.”
Complicated Networks
Cybercrime is being
organized into complicated networks resembling the division of labor in other
illicit activities, Helmbrecht said as his agency conducted a cybersecurity
exercise in Athens last week. More than 200
organizations from 29 European countries participated, according to ENISA.
“There are people who
write malware, people who distribute malware, and people who buy malware for as
little as a couple of hundred dollars,” said Helmbrecht, who was president of
the German Federal Office for
Information Security from 2003 through 2009.
Still, the chances of
a full-blown attack on the security infrastructure of the continent, or its
financial industry, are limited, Helmbrecht said.
If such large-scale
attack happens the impact will be huge, he said. “It’s like with terrorists:
you know they are there, you don’t know where they will attack.”
Helmbrecht said that
ENISA’s cyber-security exercise “is a stress
test for the resilience of our IT infrastructure.”
Its aggregated results
are expected by early next year. No details on the performance of specific
companies or organizations will be given.
Preparedness, Prevention
Unlike the stress test
conducted last month by the European Central Bank and the
European Banking Authority on the quality of the capital that the continent’s
lenders hold, companies don’t face regulatory penalties if their capabilities
to withstand an IT crisis are found to be limited.
“We want to invest in
preparedness, prevention, and self-regulation,” said Helmbrecht.
Cybersecurity concerns
extend far beyond the financial industry. Apple Inc. (AAPL) introduced new
features in September after the discovery that nude celebrity photos had been
hacked.
Helmbrecht said,
however, that sometimes common sense might be the best tool in the technology
arsenal. He said that even in this day and age, people need to be careful about
where they post private information.
“We have to
distinguish between behavioral mistakes, and technology,” he said. “Software is
being created by human beings, so mistakes happen. We have to educate people.”
To contact the
reporter on this story: Nikos Chrysoloras in Athens at nchrysoloras@bloomberg.net
To contact the editors
responsible for this story: Vidya Root at vroot@bloomberg.net Anthony Aarons
http://www.bloomberg.com/
No comments:
Post a Comment