By Peter Matthews, CEO, Metro Communications
The challenge from underground activists, organised criminals, state-sponsored actors and have-a-go hackers is gargantuan. When your enemy has a global recruiting ground, fast-evolving weaponry and the ability to walk through walls, staying ahead of the game can seem impossible. But while no organisation, institution or territory is impenetrable, the financial sector can – and must –become much more resilient.
A recent consultation paper on cyber security in the financial sector, jointly authored by the Bank of England, Prudential Regulation Authority and Financial Conduct Authority, seeks to redefine resilience by switching the emphasis from systems to services and people.In other words, rather than invest in scheduled system upgrades and renewals as a matter of course, organisations should focus their efforts on those systems that are needed to maintain key services, such as making purchases, receiving payments and delivering lending and saving.
This approach to resilience requires that organisations have a back-up system, ideally based at a different site.It also suggests they should:
- Identify essential services and map the systems that support those services
- Test security measures regularly to ensure they remain fit for purpose
- Establish secure communications channels and protocols, including for smartphones and other mobile devices
- Take specialist advice on preventing cyber crime and detecting it early
- Develop intelligence on current and emerging threats and how to respond to them
- Raise awareness and build a culture of cyber security
- Learn from previous incidents by sharing information and good practice.
In my opinion, there are two major areas that rarely get the recognition they deserve: raising awareness and establishing secure communications.
An awareness of cyber security can mean the difference between containing and compounding the effects of an attack. It is not unusual for organisations to make a bad situation worse by using compromised technology to report breaches. In fact, hackers often carry out the initial attack in order to monitor messages, redirect traffic, intercept new passwords and inflict even more damage. It's easy to see how an organisation– using a hacked system to rectify a breach –could inadvertently infect their own back-up system, effectively handing criminals the keys to their safe house.
In the words of Bank of England executive director Andrew Gracie, 'Cyber is not a minority sport for technologists… it is about culture too and this means people and processes'.Everyone, from senior managers to frontline workers and the board of trustees, needs to play a part in maintaining data security.
The second key area– secure communication channels, including those built into mobile phones–is vital in protecting data and conversations when it's business as usual. But these secure channels are also essential to safely deliver solutions following a cyber incident. For example, business-grade security apps on mobile phones don't just encrypt data; they secure metadata (such as contact lists, location and caller identity)to protect sensitive conversations between key individuals. This also thwarts hackers who rig up fake mobile phone masts to intercept and record commercially sensitive conversations,and enables people who travel for work to use unsecured hotel WiFi with confidence.
Other technological solutions, such as enterprise mobility management solutions (which manage the security of all devices in an organisation), firewalls, antivirus software and user authentication and privileges may also be part of the answer.
Butresiliencedoesn't stop at technology. Buying costly software that tries to deal with every eventuality–often causing as many problems as it cures–isn't the answer. Again, it's about knowing what's important to your business and developing an intelligent, focused and proportionate response to deal with key threats and vulnerabilities.
The financial sector is highly susceptible to cyber crime because of its importance to maintaining life as we know it. The entire system balances on a pinhead of confidence, and its global connections offer criminals a potential goldmine of devastation. It's worth remembering that the recent Webstresser attack, which sold the ability to disable financial services for just $14.99 a head, was responsible for more than four million attacks across the world before the website was finally disabled by authorities in eleven countries.
Striking at a single internationally connected organisation in one country could give hackers the satisfaction of causing major disruptionacross the world. That might explain why attacks on banking and finance have increased by around 80% over the past year. It is why major financial institutions will soon face exacting new standards, developed by the Bank of England and the National Cyber Security Centre (NCSC), to ensurethey canrestore vital services following a cyber incident, within a specific timeframe. And it is why I believe that the sector as a whole must raise its game. All organisations need to be clear about what resilience looks like and play their part in delivering it.
For more advice about how to protect your mobile phone conversations, contact Metro Communications.