Bank of England tackles “critical” cybercrime attacks
A major new effort spearheaded by the Bank of England and the UK Treasury has been launched to shore up the cyber defences of the UK financial services industry, amid rising concerns that testing has exposed serious unaddressed weaknesses.
The initiative, called CBEST, was created together with regulator the Financial Conduct Authority and non-profit security organisation CREST, as well as cyber intelligence company Digital Shadows. It sets out a blueprint for controlled cyber security testing, the aim of which is to ensure key financial assets are protected against cybercrime. The tests mimic the actions of threats such as sophisticated cyber-attacks against financial services assets.
The project is in some respects a response to widespread fears about the potential for cyber-attacks to cause serious disruption to banks and other financial services providers. Prominent incidents in recent history include attacks by Iranian hackers on Bank of America, as well as warnings from companies such as KPMG that the next major crisis to affect the UK banking sector could be a concerted cyber assault.
“Although existing penetration testing services in the financial services sector have provided a good level of assurance against traditional attacks, they do not address more sophisticated cyber-attacks on critical assets,” said Ian Glover, president of CREST.
CBEST testing encompasses a bank or financial service provider’s people, processes and technology in a single test. The aim is to be more thorough than traditional penetration testing. As part of the programme, CREST requires intelligence providers to be accredited, and a code of conduct administered by CREST has been introduced.
The project has been broadly supported by a number of security firms, which have long railed about the dangers of lax security and weak protection against cyber threats at all levels of the economy. For example, in December 2013 security company Trustwave discovered a ‘Pony’ botnet that compromised two million accounts for popular websites. Pony is a new type of botnet strategy that involves using a group of infected computers to steal passwords from Facebook, Twitter, LinkedIn, Google and Yahoo. The importance of intelligence-led testing has been emphasised by a number of commentators, including Don Smith, director of technology at Dell SecureWorks.
“It has become clear that the current cybersecurity testing methods used in the financial sector are not sufficient to protect organisations against more sophisticated attacks,” said Smith. “Testing will only be truly useful if it is based on comprehensive threat intelligence. Cyber-attacks are constantly evolving and in such a changeable security landscape, intelligence- led testing is the only way to prepare defences against the most persistent and sophisticated attacks.”
However, other organisations have pointed out that it will not be easy to counter the threat posed by cybercrime. Last month a PwC survey in the US found that 75% of businesses surveyed had detected a security breach in the last year, while the average number of security intrusions was 135 per organisation. A separate study by security firm Trustwave in May found that 96% of applications have one or more serious security vulnerabilities. According to Ted Julian of Co3 Systems, despite efforts such as the BBA’s earlier this year drive to create a global approach to incident response and coordination, the real challenge is internal.
“This is hard,” said Julian. “Financial institutions in the UK already have a duty under SYSC 3 to ensure that their internal systems are appropriate and effective. [But] it requires communication with multiple external agencies, potentially across every jurisdiction in which they operate, and potentially millions of customers in the short time available for incident response.”
The implications of tighter security may be deeper still. According to Japanese IT company Fujitsu, cyber security has the potential to become a competitive differentiator for UK banks, as customers appear to be unforgiving of any mistakes. The firm’s own research in the UK and Ireland suggests that one in four consumers would switch banks due to an IT failure, and a security breach which leads to the loss of personal information could lead to seven in ten choosing to switch their banks.
“With the sophistication of cyber-attacks and the number of threats increasing, financial services organisations understand the need to remain robust in their security,” said Anthony Duffy, director of retail banking at Fujitsu UK & Ireland at Fujitsu. “This news of the UK financial sector launching a new cyber security framework is, therefore, very welcome. The financial services industry increasingly sees cybercrime as a top priority.”
“This is best viewed as a tool designed to put UK financial sector institutions on the front foot by … subject[ing] them to as near ‘real life’ as possible threat scenarios,” added James Chappell, chief technology officer at Digital Shadows. “The crucial lessons learned through these tests will ensure they are better prepared should they come under real attack.”