The cyberattack on JPMorgan Chase has affected 76 million household accounts, a far larger number than originally expected. The inroads hackers made into the bank has rattled the tech and financial community, to say nothing of Capitol Hill, where legislators are looking anew at cybersecurity legislation.
The reason for their nervousness is clear: JPMorgan Chase is probably one of the most protected institutions in the world. If hackers can successfully breach its security, what chance do other companies stand?
It's a sobering question and there is no pat response other than to treat the event as a wake up call: if a company or industry is perceived to have a rich treasure trove of data within its systems, know that it's fair game to hackers.
And what contains more rich, personalized data than customer relationship management (CRM) systems?
CRM on Hackers' Radar
The allure of CRM data was highlighted in September by Salesforce.com when it informed users that the Dyre malware had been tweaked to target its customer base as well. Dyre originally was created to infiltrate financial institution such as Bank of America and Chase because it has the ability to bypass cryptographic protocols like Secure Sockets Layer (SSL) to steal customer credentials.
There are numerous reasons why malware writers want to enter CRM systems:
1. There is a wealth of data about customers' purchasing patterns and internal procurement contacts. This information could be easily used for phishing attacks. Emails, for example, could be created that look like they come from the chief purchasing officer and sent to a junior level clerk directing him to pay a specific vendor, which of course, is really a fraudulent account.
2.There is competitive data, including intellectual property, about customers in these systems that could be resold or used for more sophisticated phishing campaigns.
3. If the CRM user is a B2C company it will likely have thousands, even tens of thousands, of customers within its own data base – yet another a gold mine of payment histories and financial data to exploit.
Not all companies fit within those perimeters. Many, especially small businesses or B2B companies selling straightforward products or services may use a dressed-up contact management database as a CRM system. These may hold only information that could easily be found online and little else.
Protecting the Data
Even so, companies of all sizes should be aware of the risks and take steps to protect their customers' data:
Practice stellar security hygiene. The days of coasting by with the bare minimum are over. Unfortunately, this is a warning that needs to be repeated. Even a company as large as Home Depot was lax in certain areas of its security, the New York Times reported, which in part led to the breach it experienced.
There are some basic security procedures that need to be performed, paying careful attention to detail. Be vigilant about updating antivirus systems that can detect and block logged signatures and update network intrusion prevention systems, which prevent viruses from phoning home, according to Debabrata Dash, co-founder of Awake Networks, a network security start-up. Until last month, Dash was vice president of technology and head of engineering at
"A data encryption gateway can prevent attackers from using stolen credentials to retrieve data from external locations," Dash also told CMSWire, although if the attackers have remote control over the PC the protection is void.
Be proactive as you evaluate your security. Expect you will be targeted and infiltrated and then think about how to respond, Sam Harris, director of enterprise risk management at Teradata said. "Every organization's defenses are probed by adversaries performing reconnaissance," he explained. "At each stage of the process the adversary has to take actions that expose themselves to detection."
Think big data analytics. Modern security practices include the use big data analytics in addition to traditional signature or pattern based tools to achieve near real-time network security visibility and awareness to defeat the adversaries, Teradata's Harris added.
Warn your customers and partners of the potential threat. This is what Salesforce.com did, much to its credit.
Data is the New Gold
"Corporate data outside the firewall in the cloud and on mobile devices is the new gold for hackers," Bitglass CEO Nat Kausik told CMSWire. "Hacked credentials, lost devices and careless insiders are just a few of the threats to corporate data that are the responsibility of the customer rather than the cloud application providers such as Salesforce."
Focus on technologies that secure corporate data outside the firewall, he said. Typically these put organizations in control of who, what, where and when employees access cloud apps.