Banks need to put more money into combating hackers who have the potential to wreak havoc globally, says the director of the European Union's cyber security agency.

"We don't know if there are criminals trying to attack a power plant, or the banking system and cut off all ATM machines," says Udo Helmbrecht, executive director of the European Network and Information Security Agency, or ENISA. "The probability is low, but it is doable."

A group of sophisticated Russian hackers accessed the computer banks of JPMorgan Chase unhindered for more than two months this summer and attacked at least 13 other US and European financial institutions with mixed success.

The bank later disclosed that the hackers stole the names and contact information of 83 million customers, but did not access account numbers or passwords.

Banks in the United States and financial firms already spend as much as US$2,500 per employee on cyber security, compared with US$400 by retail and consumer companies, and US$200 at education companies, according to a recent study by PricewaterhouseCoopers.

With a "little more, you can gain a lot" in relation to the attacker, says Helmbrecht, adding that the industry does not seem to have opted for measures that can create "a level of security that would make it unreasonable for the criminal to attack it, because it is too expensive … It has to be just a bit above the level that the criminal says it's not worth it."

Cybercrime is being organised into complicated networks resembling the division of labour in other illicit activities. "There are people who write malware, people who distribute malware, and people who buy malware for as little as a couple of hundred dollars," says Helmbrecht, who was president of the German Federal Office for Information Security from 2003 to 2009.

Still, the chances of a full-blown attack on the security infrastructure of the continent, or its financial industry, are limited, he adds.

If such a large-scale attack happens the impact will be huge. "It's like with terrorists: you know they are there, [but] you don't know where they will attack."

Helmbrecht says, however, that sometimes common sense might be the best tool in the technology arsenal and that people need to be careful about where they post private information. "We have to distinguish between behavioural mistakes and technology. Software is being created by human beings, so mistakes happen. We have to educate people."

Bloomberg