In the last few months, cyber terrorists disrupted the websites of major financial institutions like Bank of America Corp. and JPMorgan Chase & Co. using distributed denial-of-service (“DDoS”) attacks to overload the institutions’ servers with 10 to 20 times more traffic than they are normally required to process. (See http://www.businessweek.com/news/2012-09-27/cyber-attacks-on-u-dot-s-dot-banks-expose-computer-vulnerability.) In the recent spate of attacks, customers’ confidential information does not appear to have been at risk; but the attacks made it difficult, if not impossible, for customers to access or transact any business with the targeted institutions for several hours. Putting aside the obvious frustration that this downtime causes customers, it can have more far-reaching consequences if that frustration leads to panic or a loss of confidence in the institution’s ability to protect their customers’ accounts. It is therefore crucial that the target of a cyber attack respond not only by taking appropriate technical countermeasures but by communicating to customers regarding the status of their accounts.
For security incidents that result in a data breach – where customers’ information is put at risk, government regulations and industry guidelines often dictate what the company must disclose. The same is not true of cyber attacks, like DDoS attacks, that do not result in a data breach. In those situations, the company must balance its need to provide service and support to its customers against the potential negative consequences of disclosing too much information about the company’s internal processes.
On October 2, 2012, Ron Raether was interviewed by Tom Field of the Information Media Security Group regarding the recent cyber attacks against U.S. financial institutions and his assessment of the strengths and weaknesses of their responses. Read the article and listen to the interview at http://www.bankinfosecurity.com/interviews/incident-response-choose-right-words-i-1675.