What’s the best form of defence when it comes to protecting against online vulnerabilities? If you’re the Bank of England it seems the answer to that question is pretty simple: you go on the attack. The Bank of England has announced its intention to take on cyber-attackers directly in order to ensure that the country’s major financial institutions are adequately protected against hackers. The Financial Times is reporting that the new strategy, called ‘Cyber threat and Vulnerability Management’, will see the Bank employ ethical hacking and penetration testing in an effort to strengthen cyber security of banks and other financial institutions.
The new ethical hacking scheme will be overseen by the Bank of England’s director of the UK’s special resolution unit, Andrew Gracie, and will utilise the expertise of pre-approved cyber specialists to carry out ‘penetration testing’. The specialists will use the latest methods employed by hackers working for criminal gangs, terrorist cells and rogue states in order to examine the defensive capabilities of 20 of the UK’s most prolific banks and financial organisations. Although the Bank of England hasn’t revealed which institutions will be involved in the scheme, The Financial Times speculates the Royal Bank of Scotland and the London Stock Exchange will both take part.
Why is the Bank so concerned with cyber threat? Well, banks unfortunately are regular targets for cyber-attacks. In November last year the Bank of England issued its Financial Stability Report in which it revealed that several of the UK’s banks had been hit by cyber-attacks which disrupted some services and led to significant financial losses. The report concluded that the financial system was susceptible to cyber-attacks as it had a “high degree of interconnectedness, reliance on centralised market infrastructure and sometimes complex legacy IT systems”. As a consequence the Bank of England made cyber threat one of its top priorities, and urged the Treasury, Prudential Regulation Authority and Financial Conduct Authority to put together a plan to test the financial sector’s resilience to cyber-attacks.
Penetration testing is tried-and-tested business solution for testing internal cyber resilience; however, this is the first time such a scheme will be monitored by an outside authority in such a large-scale fashion. A similar scheme – named Waking Shark II – was undertaken last year, but operated on a much smaller scale. That scheme tested how financial institutions would react should a cyber-attack happen. In a one-day simulation 220 people from 20 institutions including infrastructure providers and government agencies were invited to test how they would react in the event of a sustained cyber-attack. The scheme’s findings were presented in a report by Chris Keeling who commented:
“Whilst there was some communication between the participating firms and the [financial market infrastructures] and good communications with the authorities, it was identified that there is no formal communication coordination within the wider sector.”
The new cyber threat and vulnerability management initiative been well received by security experts. Speaking to the Financial Times Charles Sweeney, CEO of web security firm Bloxx, said:
“Banks face a relentless onslaught of persistent and sophisticated attacks because they are considered to be highly prized targets for criminals.”
“Last year’s Waking Shark programme was a great success, but attacks evolve and develop at a rapid pace so it is no surprise that the Bank of England wants to test defences again. It is great to see the UK leading the way in cyber protection programmes that can make a real difference to consumers, enterprises and the economy,” Sweeney added.
It’s reassuring to know that a major institution like the Bank of England takes security issues seriously, but have you ever considered how these ‘evolving’ security issues might be affecting your business? If you are concerned about the security challenges facing your business today, then why not speak to Krypsys? Krypsys’ services are focused on helping you assess your security posture against current and evolving security threats and educating you on the risks to which you are exposed. We have a wealth of experience in security projects in both the public and private sectors and have worked with organisations to protect high value information assets such as trading platforms, e-commerce systems, data-centres and cloud services. We also work with leading IT security vendors and specialist consultancies to close the gaps in your own IT security strategy and to assist in streamlining and prioritising your risk management spending.
If you would like help with penetration testing, security reviews, security compliance issues or web security, please contact Krypsys on 01273 044072 or [email protected].