View this article online: https://www.insurancejournal.com/news/international/2014/11/05/345943.htm
Banks need to put more money into combating hackers who have the potential to wreak havoc throughout the continent, the director of the European Union’s cybersecurity agency said.
“We don’t know if there are criminals trying to attack a power plant, or the banking system and cut off all ATM machines,” said Udo Helmbrecht, executive director of the European Network and Information Security Agency, or ENISA. “The probability is low, but it’s doable.”
A group of sophisticated Russian hackers rifled the computer banks of JPMorgan Chase & Co. unhindered for more than two months this summer and attacked at least 13 other U.S. and European financial institutions with mixed success. The bank later disclosed that the hackers stole the names and contact information of 83 million customers but did not access account numbers or passwords.
U.S. banks and financial firms already spend as much as $2,500 per employee on cybersecurity compared with $400 by retail and consumer companies and $200 at education companies, according to a study this year by PricewaterCoopers LLP.
With a “‘little more, you can gain a lot” in relation to the attacker, Helmbrecht, 59, said in an interview in Athens.
The industry doesn’t seem to have opted for measures creating “a level of security that would make it unreasonable for the criminal to attack it, because it’s too expensive,” Helmbrecht said. “It has to be just a bit above the level that the criminal says it’s not worth it.”
Cybercrime is being organized into complicated networks resembling the division of labor in other illicit activities, Helmbrecht said as his agency conducted a cybersecurity exercise in Athens last week. More than 200 organizations from 29 European countries participated, according to ENISA.
“There are people who write malware, people who distribute malware, and people who buy malware for as little as a couple of hundred dollars,” said Helmbrecht, who was president of the German Federal Office for Information Security from 2003 through 2009.
Still, the chances of a full-blown attack on the security infrastructure of the continent, or its financial industry, are limited, Helmbrecht said.
If such large-scale attack happens the impact will be huge, he said. “It’s like with terrorists: you know they are there, you don’t know where they will attack.”
Helmbrecht said that ENISA’s cyber-security exercise “is a stress test for the resilience of our IT infrastructure.”
Its aggregated results are expected by early next year. No details on the performance of specific companies or organizations will be given.
Unlike the stress test conducted last month by the European Central Bank and the European Banking Authority on the quality of the capital that the continent’s lenders hold, companies don’t face regulatory penalties if their capabilities to withstand an IT crisis are found to be limited.
“We want to invest in preparedness, prevention, and self- regulation,” said Helmbrecht.
Cybersecurity concerns extend far beyond the financial industry. Apple Inc. introduced new features in September after the discovery that nude celebrity photos had been hacked.
Helmbrecht said, however, that sometimes common sense might be the best tool in the technology arsenal. He said that even in this day and age, people need to be careful about where they post private information.
“We have to distinguish between behavioral mistakes, and technology,” he said. “Software is being created by human beings, so mistakes happen. We have to educate people.”