Why $250M didn't protect JPMorgan from hackers
When a series of cyberattacks targeted banks like JPMorgan Chase (JPM) this month, it was clear to the FBI that the break-ins, which obtained gigabytes of data, according to the New York Times, were all coordinated. Some of the missing information may have included checking and savings account data.
Trish Wexler, a spokeswoman for JPMorgan, told CBS News: "Companies of our size unfortunately experience cyber attacks nearly every day. We have multiple, layers of defense to counteract any threats and constantly monitor fraud levels." The company says that there has been no unusual fraud activity and that it is currently working with law enforcement to understand the scope of the attack.
JPMorgan reported to shareholders that it will have spent $250 million on cybersecurity (pdf) by the end of 2014. It employs more than 1,000 people for these efforts, according to the annual shareholder letter from Chairman and CEO Jamie Dimon.
That makes this defeat particularly bitter.
Sadly, the pattern is anything but unusual. Total spending on cybersecurity by private companies, non-profits, and government agencies easily runs into the tens of billions annually. Market analyst ABI research estimates that global cybersecurity spending on critical infrastructure will hit $46 billion this year. The Department of Homeland Security alone sought a $1.25 billion cybersecurity budget in the fiscal year starting in October.
And yet, there are always new stories of data losses and successful attacks. That's because there are a number of factors that make the problem continuously tough to solve.
One is that companies are often playing catch-up. Cybersecurity is not a CEO's or CFO's favorite budget item. It's pure cost, adding nothing to a brand, product design, sales, or shareholder value. But after years of high profile attacks that were PR nightmares, corporations had to respond.
After the credit card breach last year, Target is reportedly spending $100 million to adopt technology so it can accept credit and debit cards that use embedded chips for added security.
Even as companies try to get caught up, they can be foiled by basic problems in their IT departments. One of the most important forms of protection is to regularly update servers, desktops, and mobile devices with the latest software security patches for the operating system and all programs on the machines.
Large companies may have thousands of servers and tens of thousands of desktops and mobile devices, which makes the task daunting enough. But it becomes more complex as any change in software could potentially affect how installed applications and systems could run. Someone has to test the high number of updates that come in before installing them, which means more time and money spent on security.
Also adding to the cybersecurity difficulty is the sheer numbers of hackers that are out there looking for unpatched vulnerabilities. There are always new system updates that may have created new security holes that haven't been patched yet. As computer networks become increasingly complex -- involving mobile devices tapping into wireless and cellular networks -- any new change creates an opportunity for weakness that someone might find.
Ultimately, one of the biggest security issues is human -- and therefore impossible to control with tech solutions. Hackers will often obtain information necessary to break into networks directly from customer service employees who are trying to be helpful.
Even with all the money companies are spending on security, chances are that break-ins will continue to happen and companies, and their customers, will have to find new ways to manage the unpleasant results.