Bank staff at a number of firms in London are taking part in ‘war games’ exercise. It’s to test how well they can handle a major cyber attack.
The firms will be bombarded with messages and placed in scenarios. Simulations will include how banks ensure cash remains available via their ATM networks, how they deal with a liquidity squeeze in the wholesale market and how they communicate and coordinate with each other and the authorities.
Speaking ahead of the test, Stephen Bonner, a partner in KPMG’s Information Protection & Business Resilience team said: “The world’s largest companies have been targeted over recent months by increasingly sophisticated hackers. It is now not just a lone hacker sitting in their bedroom but, in many cases, serious organisations backed by the resources of nation states who are leading the charge. Incidents which involve the loss or theft of commercial rather than personal data often go largely unreported. Hacking is now widespread and the attackers range from the intellectually curious through to sophisticated nation states, the targets range from safety-critical processing systems through to price sensitive deal data.
“Regulators and companies are increasingly concerned about the threat of cyber attacks on the banking system so this is a great initiative for all involved to work collectively together to test our national defences against sophisticated attacks. This is a good opportunity to iron out any flaws now, before our cyber defences are tested in anger. The test will shine a light on our defences, and that is helpful not just for banks but for business in general. Cyber security failures not only impact business in monetary terms but also in the loss of intellectual property and more importantly, trust.”
A recent review by the audit firm of the cyber security of non-financial company websites flagged up a range of cyber security concerns, including:
Vulnerable web servers – corporate websites supported by out-of-date and potentially vulnerable technologies
Sensitive information which could provide attackers with background on network users, email addresses and corporate intranet configurations
These weaknesses add to the large amount of information available to hackers from social networks and public sources, all of which helps target sophisticated attack campaigns.
Companies can do a lot to make the attacker’s life more difficult, including:
Reviewing the amount of data leaked online and through public web sites. These are easy targets for hackers
Ensuring internet-facing systems are kept fully patched and updated
Educating everyone within the organisation about the value and sensitivity of the information they possess and how they can protect it
Backing up employee training with sensible cyber security measures and a corporate culture that takes security seriously
IT comment
David Harley at ESET
He says: “A self-test can also be useful in that a well-run security team knows something about the organisation’s weaknesses as well as its strengths, and if it’s really trying can use those weaknesses to advantage. You often learn more in circumstances like this from things that go wrong than from the things that function as they should. However, there’s the risk that a simulation will play to strengths rather than weaknesses: after all, there can be a (not necessarily conscious) desire to demonstrate how effective your defences are, rather than display failure. An external attacker – or a pseudo-attacker such as a pen-tester – can sometimes think outside the internal defender’s box, and has no such ambivalence in motivation: his success is your failure. And it’s quite true that the kind of attack that financial services are (or should be) most concerned about are likely to have its origins in a coalition of many interested parties whose skills and motivations may be very varied indeed.
“What really tests an organisation’s security is a breach that couldn’t have been anticipated, the sort of attack that demonstrates how well (or badly) it can expect the unexpected. “
Peter Armstrong, Director of Cyber Security, at Thales UK said that hi firm welcomed this extensive cyber threat exercise and pointed to a survey by audit firm PwC earlier this year that only 12 per cent of companies have a formal process for assessing technology-related risks to their company.
“Operation Waking Shark 2 highlights the importance of having these processes in place, alongside best practice cyber maturity models to centre on continuous policy evaluation and adaptation. The consequences of cyber attacks are now so severe that cyber defence must become a board room discussion – not just an issue for IT departments. Whilst Operation Waking Shark 2 will focus on the threat of external attacks, banks must also address the insider threat. To combat insider threats, firms need to invest in employee security training and awareness programmes to avoid accidental breaches. Organisations should also consider a number of IT administered employee controls, including network monitoring technology which alerts the necessary parties when rogue devices connect to the network to either infect a corporate IT system.”
David Emm, Senior Security Researcher, Kaspersky Lab agreed that these kinds of exercises provide a good opportunity to put people and organisations through their paces, much like the army does when practising manoeuvres. He went on: “They can never be a substitute for a real-life attack. But they can however force people to think about the situation they are faced with and what they would do in that very moment. What happens in the aftermath of such training programmes is also important: it’s essential for participants to examine how the scenario played out and what lessons can be learnt for the future. It is important for organisations in all sectors to look at the risks cyberthreats pose and iron out their own individual scenarios for dealing with an attack.
“The right communication is vital in the aftermath of a cyberattack. Businesses must have a plan of action which includes all relevant stakeholders from both internal and external parties, including government, regulatory bodies and, in this case, other financial organisations. Communication across other sectors can be important as the effects on one company can have far reaching consequences for many others. The UK government is keen to pursue a joined-up approach to dealing with cyberattacks which is good news, but more work still needs to be done to help all businesses adopt a more secure mindset; and exercises like this help contribute to this.”
And Ross Brewer, vice president and managing director for international markets at LogRhythm
“Earlier this year, the Bank of England’s director of financial stability, Andrew Haldane, admitted
“There are a number of industries that play a critical role in keeping the country operational and it’s essential that these sectors are fully prepared for disaster. Unfortunately, it’s reached a point where experiencing a cyber attack must be thought of as a ‘when, not if’ for most businesses, therefore if they aren’t ready and waiting, many will find themselves like proverbial rabbits in headlights before too long.
“While the financial sector is taking a step in the right direction, it will only be worthwhile if the lessons learned are acted upon and shared with a wider audience. Far too many organisations are still relying on reactive security measures when they should be constantly prepared for an attack and it is likely this exercise will prove this to be an extremely outdated thought process. The only way to ensure businesses have the best possible chance of keeping today’s sophisticated threats out is through 24/7 monitoring of all network activity and this needs to begin now, not as a mere afterthought. Any business that holds off will regret that decision – and by then, when it’s a real attack and not a test, it will be too late.”
