Fraud Protection

How to Defend Against Cyberthreats

We recently surveyed our Executive Advisory Board to find out how executives view the cybersecurity environment and their own vulnerability within it. Their responses prompted a conversation with Mike Kelly, Commercial Banking's Head of Cybersecurity and Technology Controls, about how businesses can protect themselves against cyberthreats and what they need to know about the current fraud landscape.
May 31, 2016

Eighty-five percent of executives surveyed said their organizations require complex passwords for applications with sensitive data or critical operations, and 41 percent use multifactor authentication. What are some other tactics businesses can use to help protect confidential information?

There are generally three distinct areas within data security that companies should make sure they're thinking about when developing security protocols:

  1. Access. Things like requiring complex passwords and implementing multifactor authentication are important ways to protect against unauthorized access to your data—but they can be made stronger if businesses have certain complementary measures in place, such as requiring that passwords have a robust history and are changed frequently. A robust password history will prevent your employees from reusing old passwords—best practices say that you should require employees to update their password at least 15 times before they're able to reuse an old one—and frequently updating passwords helps ensure that passwords are changed before they can be compromised.
  2. Encryption. The encryption process converts sensitive data into a coded form that's typically undecipherable without the right decryption tools. However, it's worth noting that if access is compromised, encryption is basically useless—it only works if credentials remain uncompromised.
  3. Monitoring. This one is pretty simple, but it's essential: You need to know what people are doing on your servers, even authorized people.

A number of organizations outsource their tech support to third-party vendors (44 percent) or freelance specialists (18 percent). What are some precautions businesses should take when outsourcing something as vital as data security?

There's not a right or wrong answer in terms of what you should outsource—in many cases, it depends on a business's size and industry. That said, one rule that applies to businesses of all sizes and across all industries is that any controls you have or standards you set internally should be applied to your vendors, too—the expectations have to be the same. You aren't absolved from managing your data security when you outsource it to a vendor—it's still your responsibility.

In terms of risk, concentration is always something to watch. If you give one vendor the keys to your kingdom—for example, if they have the ability to manage all your wire account data, as well as the ability to change it—you're putting your business at risk. Of course, sometimes it can be hard to break apart your tech support functions, in which case, you just have to be transparent with your board and have the proper audit rights in place. But in a perfect world, you'd be able to segment your data security so that you're not completely dependent on one vendor.

Thirteen percent of survey respondents said their businesses had experienced cyberfraud that led to stolen money. Of that 13 percent, 19 percent said the fraud was a result of malware, and 19 percent cited social engineering (which occurs when criminals create fake situations that trick businesses into quickly sending funds). What are some steps that companies can take to guard against social engineering attacks? And are there other fraud trends businesses need to know about?

Social engineering, which some call phishing, is huge. This is where I see the majority of data compromises arise. It's important to educate your employees to be vigilant about properly screening emails, phone calls and even website popups for fraud.

Generally, there are a number of steps you can implement that can help prevent social engineering attempts to gain access to your funds:

  1. Validate new or updated payment instructions—even if they were received via internal email.
  2. Speak with—or contact directly—anyone who's requesting a funds transfer or a change to payment instructions so you can validate that the changes are legitimate before processing.
  3. Examine all payments before they're issued, and ensure that all correspondence is validated and documented across your entire business.

There's also always the threat of the malicious insider—someone within the company who has bad intentions and perpetrates fraud on your business—but if you're properly monitoring employee activity, you have a good chance of reducing this risk.

Survey respondents cited a number of actions their businesses are taking to prevent cybersecurity breaches, including conducting external penetration tests, implementing ongoing training and education for employees, and continuing to invest in software and systems to block attacks. What are some other ways you would advise organizations to protect themselves?

The best advice I have is to promote awareness of cyberthreats—particularly via ongoing training and education, which tends to be undervalued—and to create a culture where escalation is encouraged. If employees know they won't be penalized or made to look foolish for following the steps above, you can drastically reduce your risk for things like wire transfer fraud, which is on the rise.

Read the full results of the JPMorgan Chase Executive Advisory Board Cybersecurity Report to get more insight into the concerns and plans executives have around cybersecurity.

Download the report


Related Content

Payments Fraud Hits Record Highs

The 2016 AFP Payments Fraud and Control Survey found that the number of organizations impacted by fraud is increasing—and criminals are using more high-tech strategies.

View infographic about Payments Fraud Hits Record Highs

Should Your Business Encrypt Its Data?

What you need to know about encryption to determine if it’s something you should use as part of your data security arsenal.

Read article about Should Your Business Encrypt Its Data?

The Cyberthreat Inside Your Company

Why your biggest cyberthreat may be coming from inside your business.

Read article about The Cyberthreat Inside Your Company

Related Services

Fraud Protection


Weekly insights on the economic issues that matter most to your business.



Find out how we can help your business.

Contact Us


Copyright © 2018 JPMorgan Chase & Co. All rights reserved.