Sony breach turns bank's focus to users

When New Jersey's Provident Bank was founded in 1839, Martin Van Buren was president. The First Opium War was getting going in China. And, in Boston, the American Statistical Association was just being founded.

Provident is the 11th oldest bank in the United States. It survived the Civil War, the Great Depression, the savings and loan crisis, the dot-com bust, and this century's global financial meltdown.

Last year, the bank celebrated its 175th anniversary, otherwise known as its dodransbicentennial.

Last year was also an opportunity for the bank to watch as one great institution after another suffered massive attacks from cybercriminals.

"Seeing these large companies fall victim to data breaches reinforced how much energy we wanted to spend on protection," said Nathan Horn-Mitchem, the bank's vice president and information security officer.

Nathan Horn-Mitchem, the bank's vice president and information security officer

And banks in particular have a much higher burden of responsibility than retail companies, he added. And not just because the stakes are higher.

"When Target or Home Depot gets breached, customers get mad and stop shopping there for a while," he said. "If you're a Target person, you might go to Walmart for a while."

But giving up your favorite store requires sacrifice. There's usually a reason why people prefer one retailer over another, and those preferences are hard to change.

"So, eventually, you go back," he said.

That's not the case for banks.

"We have one shot at this," he said. "We have one shot to keep customer information safe."

The bank decided to focus on the fundamentals, with a three-part strategy to educate new hires about security, train existing employees to be vigilant about phishing attacks, and increase the awareness of data security for everyone at the bank.


In the past, onboarding new hires involved a quick introduction to information security.

After the latest high-profile breaches, that changed. Now, new employees get more than an hour of training about security.

But the training doesn't focus on the bank's data.

"We spend the majority of the time helping them understand how to protect their own name, their own social -- everything they need to protect their own personal life," he said.

They learn why they need unique, complex passwords and two-factor authentication.

The idea is to get employees developing good security habits at home, so that those habits follow them to the office.

Another benefit is that employees become more vigilant about security issues in general.

[ 6 essential components for security awareness programs ]

"I've had employees call me and inquire about a process the bank follows or suggest an improvement because they have moved into that security mindset," said Horn-Mitchem.


Almost all the recent high-profile breaches have come down to some employee making a mistake, breaking a security policy. It's often a very simple mistake, such as sharing a password or opening an attachment.

"We can deploy sophisticated technologies, but at the end of the day it comes down to the users," Horn-Mitchem said.

In particular, phishing has often played a key role, including in the Sony breach. According to the 2014 Verizon breach report, phishing was a factor in 67 percent of all cyber-espionage breaches, and was the third most-common attack vector in all types of breaches.

Provident stepped up its phishing training campaigns immediately after the Sony breach, and plans to increase the pace even more in 2015.

To get the most impact, the bank sends fake phishing emails to a small number of employees at a time.

"If you send 1,500 people the same email, then as soon as one or two people figure it out, they spread the word," said Horn-Mitchem.

Over time, employees have been getting better at spotting the malicious emails, he said. Not only are the click rates going down, but more employees are reporting the emails to their department.

Data security

The bank already had a data classification policy in place, where a select group of people -- the owners of the information -- decided how sensitive the data was.

But many employees were handling the data, and not all of them were paying attention to how they were securing it.

"Email, to many people, is a routing activity," Horn-Mitchem said. "It's very easy to send out information of particular value to the bank, and not have any thought about whether they properly secured it."

When this happened, the emails would get bounced to the security staff for manual handling.

"We wanted to have our users understand the value of the data they're using on a daily basis and its importance," he said.

What the bank did was institute a new classification policy -- each time employees sent information out beyond the bank walls, they had to take a moment and decide whether the information was confidential, sensitive, or public.

Depending on the classification, the communications that needed it would then be automatically encrypted, using either a TLS handshake with trusted partners, or a secure mailer for unfamiliar destinations.

The new policy applied to all bank staff, from the senior management down to the individual tellers, about 1,000 users total.

"It's not that big a speed bump that it slows users down, but it is a speed bump, and makes them think," he said.

From the very beginning, accuracy was close to 100 percent, with information classified either at the appropriate level or higher.

"Even in the first week, we saw very few mistakes made," he said. "Within two weeks, everyone at the bank was very comfortable with the system."

Plus, the increased awareness about data security translated to other areas as well, such as paper documents.

Another benefit is that instead of spending six hours a week reviewing emails to ensure that they were appropriately encrypted, Horn-Mitchem's team now spends less than hour.

Join the CSO newsletter!

Error: Please check your email address.

Tags Targetsecuritydata breachWalMartHome Depot

More about Home DepotSonyVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place