Are employees of financial institutions their biggest threat to data security?
According to a recent survey released by the Association of Corporate Counsel, as many as 30 percent of all data breaches this year have resulted from employee error. Some of the largest banks and financial institutions have begun to test their employees regularly to find out just how much risk they may be putting them in.
As The Wall Street Journal reports, just weeks after the major breach at JPMorgan that left information from 76 million households exposed, the bank (the largest in the country, by measure of assets) sent a fake phishing email to its 250,000+ employees to test their reaction. Approximately 20 percent of the recipients clicked on the email, according to people familiar with the project.
And JPMorgan isn’t the only company taking such measures. According to WSJ, “spear phishing” — the act of seeking to identify and breach high-value employees within an organization who have access to sensitive data — is a common and lucrative activity of hackers. As such similar email exercises and employee training are being run by multiple institutions.
Canadian-based TD Bank, with roughly 1,300 branches in the U.S., has been sending simulated phishing email attacks to employees over the last few months to see just how many will click a link supposedly sent from the human resources department. A click prompts a training video to pop up alerting them to the test and telling them how they should have handled the situation. “Our purpose isn’t to scare people,” Glenn Foster, head of TD’s cybersecurity, told WSJ.
Other areas of concern include social media, where personal details about vacations or time away from the office may alert savvy cyberhackers of an opportunity to break into an unattended home in the hopes of finding a company laptop or other device with valuable information. Morgan Stanley was recently the victim of a high-profile breach in which a financial adviser illegally accessed client data and then brought the information home with him. The adviser, Galen Marsh, has since pled guilty to a felony and is awaiting sentencing.
“We spend an ocean of money” on cybersecurity, said Wells Fargo CEO John Stumpf in a recent interview. “It is the only expense where I ask if it’s enough.” A spokeswoman declined to quantify the firm’s budget.
But a financial institution doesn’t have to have a big budget to employ smart employee training tactics, the WSJ story points out. Small banks, like Pinnacle Financial Partners Inc., with roughly $6 billion in assets, regularly sends fake phishing emails to its 1,100 employees every few months.
“They all joke about it,” said Clayton Weber, director of information security at the Tennessee bank, told the outlet.
Alarmingly, even though the employees know the bank is regularly testing them, Weber told WSJ that roughly 2 percent still click on the fake phishing emails. It seems there is work to be done yet.