Some 40 UK financial industry firms are taking part in a ‘desk-based’ stress test organised by the Bank of England in partnership with industry and other UK financial authorities (HM Treasury and Financial Conduct Authority) to see how they respond to a major cyberincident impacting the UK.
This will include leading banks; participants previous exercises included Barclays plc, HSBC Holdings plc, Lloyds Banking Group plc, Nationwide Building Society, The Royal Bank of Scotland Group plc, Santander UK plc and Standard Chartered plc. The Bank of England says on its website that the exercise will "help authorities and firms identify improvements to our collective response arrangements, improving the resilience of the sector as a whole."
Dr Sandra Bell, head of resilience consulting at Sungard Availability Services, Sandra says in an email to SC Media UK that banks have a range of options to remain resilient in the face of disaster or crisis, including:
Keeping data organised - Financial institutions should keep up a strict, strategic separation between systems, so if a hacker finds their way in to one database with the use of a malware, they will not automatically be able to access another one.
Think geographically - Ensure each recovery site is geographically distant from production to minimise the risk that the same disaster (such as a flood) disrupts both systems.
Address the prospect of data loss - regularly test back up plans and increase security measurements for sensitive information.
Building a recovery plan that can handle multiple simultaneous outages:
* Although outages are often caused by a single factor affecting a particular supporting system, banks have to be prepared in case the interruption influences the operation of other areas of the business too. Even if the problem is localised, the symptoms can be felt across the organisation.
* Look beyond your service-level agreement by taking a broader approach to risks. Shift the focus from assuming individual/departmental risks, to wider, collective risks based on business service output.
Keeping employees up to speed:
* Think beyond technology: If employees do not have the knowledge and training required to aid a potential disaster recovery process, there is little point in having the technology in place at all. Consider bringing in outside expertise to aid this shift and identify vulnerable areas.
Greg Day, VP and CSO EMEA, Palo Alto Networks, noted in an email to SC Media UK that the exercise has even greater significance since Tesco Bank was hit by a cyber-attack earlier this year.
He commented: "It’s always great to see organisations such as the Bank of England test capabilities of the sector, especially in light of increasing regulatory requirements such as GDPR around notification. It’s always important such exercises span across all business functions. These should be both a technical but also business response test. Regulation is increasingly impacting all businesses, yet many aren’t as diligent in regularly and rigorously testing their response capabilities."
Speaking on Radio 4 today, Robert Schifreen who, with Steve Gold, was responsible for the hack that resulted in the Computer Misuse Act, commented that a desk excercise, where people came in ready and available to deal with an attack, was totally different from a real attack on a Sunday afternoon when all the people you need are not available.
But Jake Moore, cyber-security expert at ESET UK, emailed SC Media UK to add: "Anything that improves cyber-response is a thumbs up from me. Cyber-attacks aren’t a possibility, they are an eventuality so we will never have enough people, systems or money to prevent or detect an attack. Therefore, you need to invest in training as well as multiple prevention techniques to make it work. However, it is not always as simple as that, so making training engaging and even fun adds impact to the way it sinks in and quickly makes it second nature."
It was the cooperation element and DDoS that was highlighted by Kirill Kasavchenko, principal security technologist at Netscout, who says: "Financial institutions are particularly at risk from cyber-threats, simply due to the amount of sensitive data and money they store. With customer interactions, processes and services increasingly moving online, the industry cannot afford cyber-security – or a lack of it – to become a stumbling block further down the line. Better intelligence sharing and improved co-operation within the financial services industry is vital to managing cyber-risk, so it’s great to see this mix of organisations working together to test the UK’s financial system.
"The results of today’s drill will reveal what work remains to be done, but what is important from a DDoS perspective is that the full scale of attack types and techniques are considered. To add further complexity, DDoS attacks are also not launched just for the sake of bringing a resource down. They can also be designed to shift the focus of the defenders, so it’s ‘easier’ for hackers to exfiltrate data undetected. This is why every financial services organisation must implement layered security to mitigate attacks of different sizes and complexity, as well as strengthening visibility and threat detection capabilities across internal networks. That way DDoS attacks can be contained without disruption, but we can also see whether other attacks are being carried out in parallel – so the true scale of the attack is known."
For Pete Banham, cyber resilience expert at Mimecast, an important factor noted was, "The fact that firms aren’t being tested on a pass or fail basis is significant as it means they will be transparent about their current capabilities, rather than worrying about being exposed as unprepared. This will help them work towards being adequately prepared for large scale cyber-attacks and ensure they have the right cyber-resilience strategy in place."
He went on to suggest that other sectors follow suit saying: "Hackers are always lying in wait, so we need to see more instances of sectors uniting to combat malicious attacks."