Private businesses must be prepared to defend against nation-state attacks.
As I’m sure you’ve heard, it has been estimated that 76 million households were affected by the JPMorgan Chase breach. Of course, customers are worried about the specifics of the attack. They want to know exactly what information was stolen and how this information could be used for criminal purposes. But we also have to look at the big picture here, especially in light of the recent announcement that 13 other financial institutions were also targeted by the same group of attackers. We must consider who is behind these attacks, why they would do it, and who they’re going to target next.
This is clearly not your average band of hackers. It’s highly unlikely that a criminal organization could launch that many sophisticated attacks simultaneously. We have seen this level of attack between nation-states, when China targeted U.S. Government organizations and when Russia launched attacks on Georgia and Estonia a few years ago. What we are seeing now is the same level of sophistication and capability being deployed against businesses.
The capability being demonstrated is very unnerving, and the attackers probably aren’t going to stop at the financial industry. All critical infrastructure organizations (healthcare, public utilities, state and local governments, etc.) need to consider that they could be the next target.
About 85 percent of all network security infrastructure is in private hands. If we are truly seeing nation-state attacks turn against private institutions, the organizations making up that 85 percent need to take action to improve their security posture. At the moment, they simply aren’t ready for this type of attack – a fact that was recently highlighted by the Community Health Systems breach.
JPMorgan is the canary in the coal mine, and the canary just died. Critical infrastructure organizations can’t afford to ignore this warning. If you could use some straightforward steps for maturing your vulnerability management program – or you’re simply wondering how your program stacks up against others – check out my Threat & Vulnerability Management Maturity Model.