Philip Lieberman President Lieberman Software

The ability to overcome the typical financial defense-in-depth strategy outlined by JPMorgan points to capabilities that go beyond criminal activity and are in the realm of nation state capabilities.  JPMorgan and similar entities employ sufficient technology to protect themselves from criminals, but typically fail to invest enough in technology and process to shield themselves from nation state’s ability to access their systems at will. 

The lesson to be learned is that the financial services sector needs to up its cyber security game to move up from commercial security to military level security.  Most banks are focused on obtaining passing grades from internal and government cyber security auditors, but fail to place enough emphasis on the real and constant threats from the outside.
 
The takeaway message is that most of the financial services sector has little to no protection from nation state attacks and is not willing to spend the money to protect themselves, nor do they have senior leadership capable of redesigning their organizations for secure operation against nation states.  The USA financial sector has much better security than other areas of the world by far, but without significant rethinking and redesign, it will struggle to survive against nation states.  

The existing security standards and best practices are not designed to help companies defend themselves against nation states.  That is not say that companies are not operating at a level capable of defending themselves against nation states, only that the official best practices and standards provide little guidance or requirements that would lead to a company surviving an attack.