Hyperbole, Misinformation, and CyberMonsters Under the Bed – Source: www.cyberdefensemagazine.com

By Ken Westin, Field CISO, Panther Labs

This week at the World Economic Forum, there was a panel titled “Are Banks Ready for the Future?” with an esteemed panel of banking executives discussing the future of banking. When the topic of cybersecurity came up, Mary Callahan Erdoes, the Chief Executive Officer of J.P. Morgan Asset & Wealth Management, stated, “There are people trying to hack into J.P. Morgan Chase 45 billion times a day. That number is what it is.” Unfortunately, this soundbite is what the media grabbed onto and pushed out a hyperbolic narrative regarding the threats the bank faces. I don’t blame Erdoes, as this number was probably provided to her in a briefing by her CISO or security team, and many of the publications that put the number in the headline did so to get clicks.

Having worked closely with financial institutions, the problem with this metric is that it paints a dramatic picture of the threats banks face but requires more context around what that number means to paint a more factual view of the threats banks face. J.P. Morgan isn’t facing 45 billion attempts by individuals to hack the banks; I believe that number is an aggregate of automated vulnerability scans, bots, phishing emails, adware, credit card fraud, BEC, and other automated processes. Language and metrics can be a minefield in cybersecurity, and it is essential that when security leaders speak to executives, they provide the appropriate context around the threats faced and ensure they understand and can communicate the threat clearly to media and their customers without triggering hysteria.

The cybersecurity industry has faced similar stories over the years, such as the “Cyberpocalypse” or looming “Cyber Pearl Harbor,” terms usually used by overzealous marketing teams and the media to instill fear in consumers and businesses to buy their tools and click links for ad revenue. These “cyber-monsters under the bed” narratives used as scare tactics to keep CISOs up at night do little to mitigate the real threats organizations face.

Erdoes also mentioned that the 45 billion number is twice what it was last year, that trend is telling as it indicates threat actors are also exploiting the same adoption of automation and machine learning used by defenders, a trend we can expect to continue. Geo-politics is also at play as many nation-state adversaries see the U.S. financial system as a key and legitimate target to weaken our financial system and economy. This may also play into the exponential growth of adversary activity that J.P. Morgan is facing.

Improving the security posture of our financial system requires leaders of financial institutions and the media to become more cyber-literate. Many financial institutions are increasingly bringing current and former security leaders onto their boards. CISOs are increasingly reporting to the CFO or CEO aligning them more closely with risk management, and providing better visibility to the executive team and board. This is an opportunity for banks and regulators to get on the same page regarding language and metrics when it comes to cybersecurity risk.

About the Author

Ken Westin is Field CISO of Panther Labs.  He has been in the cybersecurity field for over 15 years working with companies to improve their security posture, through detection engineering, threat hunting, insider threat programs, and vulnerability research. In the past, he has worked closely with law enforcement helping to unveil organized crime groups. His work has been featured in Wired, Forbes, New York Times, Good Morning America, and others, and is regularly reached out to as an expert in cybersecurity, cybercrime, and surveillance.

Ken can be reached online at LinkedIn (https://www.linkedin.com/in/kwestin/) and at our company website https://panther.com/