Here is an admission you don’t hear very often. In the Wall Street Journal, Trish Wexler, a J.P. Morgan spokeswoman, stated this:
Companies of our size unfortunately experience cyberattacks nearly every day.
I’ve heard security professionals say this type of thing plenty of times, and from numerous studies and regular monitoring, we know that lots of large networks are pinged many times a day in hopes of finding a crack. But you very rarely, if ever, hear someone whose company had just announced a breach actually admit that cyberattacks are a regular problem.
In case you missed it, J.P. Morgan is one of several companies within the financial industry to have been infiltrated by Russian hackers. According to CNET, the breach may have been caused by a malicious injection into an employee’s personal computer.
We’ve known that employee mistakes have long been a gateway for bad guys to get into corporate networks, but usually it is a work computer. However, hackers attempting to get in through personal devices might happen more often than we realize, as Todd Feinman, CEO with Identity Finder, told me in an email:
This is common because there is typically a weak link in trying to penetrate an organization’s perimeter and that weak link could be one employee’s password enabling remote access to their system and the network. We see hackers using a small amount of data to access a system then farm for sensitive data that could gain access to the entire network.
In her official statement, J.P. Morgan’s Wexler also pointed out that her company has multiple layers of defense to help protect against all of those cyberattacks against the network. Since the financial giant isn’t regularly discussing those attacks, you have to figure most of those defense mechanisms have been working.
But what about the weak links? How is enterprise approaching the problem areas that their layers of protection miss? TK Keanini, CTO with Lancope, thinks maybe the approach companies are taking is wrong for today’s cyberattacks, telling me in an email:
It is no longer a game of not being infiltrated, it is a game of detecting them and shutting them down before they can exfiltrate or advanced their operations. You can make same analogy with physical bank robbery: It is not about breaking into the bank; it is about getting out and being able to spend the loot without being detected.
IT security knows the hackers are going to get in one way or another. It is a matter of catching them quicker. This attack on J.P. Morgan may have happened a month before it was found, but the long period of time between an attack and actual detection is not unusual.
I want to make one final point. When Wexler says “companies of our size,” it creates a false illusion that regular attacks happen only to large corporations, and that SMBs are safe. They aren’t. Bad guys don’t care where the data comes from, just as long as they can get their hands on it. The only difference between the data held in large corporations and small businesses is the number of files. While hackers will go after large financial institutions because the payoff is bigger, smaller businesses with weaker cybersecurity measures are easier to get into. The only folks winning here are the bad guys.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba