By Andy Norton, European Cyber Risk Officer at Armis
According to 79% of those taking part in the most recent Bank of England systemic risk survey, cyber-attack was the most cited risk to the UK’s financial system. A survey, it should be noted, that was carried out prior to the Russian invasion of Ukraine and the resulting media warnings about an increased risk of such things. As well as being the number one threat to banking for the second consecutive year, cyber-attack was also determined to be the most challenging risk for 65% of financial industry firms that took part. In order to better defend against potential attacks, financial institutions need to start thinking differently about cybersecurity, risk, and resilience. Why so? Well, what if I were to tell you that the Internet of Things (IoT) and other operational technology devices have massively expanded the financial industry attack surface, while at the same time remaining an under-the-radar security challenge courtesy of multiple defensive blind-spots for many.
You can’t insure your way out of the cyber risk and resilience quagmire
When it comes to cyber risk and resilience, having ‘cyber-insurance’ alone is simply not enough. In its most recent business of resilience report, the UK government confirmed that the insurance protection gap remains high as far as cyber is concerned. How high? How about that ‘90% of all cyber losses remain uninsured’ high? If this doesn’t convince you that strengthening cyber risk management best practices should be a business priority, then, frankly, what will?
Operational resilience, which the Financial Conduct Authority (FAC) defines as being the “ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption” cannot just be an optional nice to have. As the FCA puts it, this ability to “absorb shocks rather than compound them” is essential. It’s also required as part of the FCA rules and guidance for “banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, Enhanced scope Senior Managers and Certification Regime firms, and entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011.” As of March 31, 2022, and no later than March 31, 2025, these firms must have made the investments necessary to ‘operate consistently’ within their impact tolerances. The FCA, along with the Prudential Regulation Authority (PRA), suggests that in order to understand your cyber resilience at a high level, you need to be able to answer questions such as how do you identify and protect critical assets and how do you detect and respond to an incident so as to both recover the business and learn from the experience?
Understand your tech debt to illuminate cybersecurity blind-spots
Let’s be clear: I am absolutely not suggesting that IT security isn’t generally well-established within financial institutions. Of course, it is. However, things start getting a little blurry when you begin drilling down into the device specifics that IoT and other operational technologies (think building management systems, for example) bring to the cybersecurity landscape. In fact, any device with an internet gateway that sits within the airspace of a financial institution is liable to bring additional risk, to represent another point of weakness. Especially if those institutions are not fully appraised regarding the level of support, or lack of it, that such hardware and software has, and could therefore be considered a vulnerability just waiting to be exploited.
This ‘tech debt’ can be considered an incremental security cost, where legacy equipment is either no longer supported or about to lose the safety net of security updates and vulnerability patches, and one which impacts defensive capabilities. Armis once went in and scanned the environment of a financial institution, by way of example, only to discover the core Cisco systems it relied upon were, in turn, reliant upon technology that was approaching ‘end-of-life’ and would soon no longer be supported. Unfortunately, such lack of visibility and consequential inability to properly assess the security risk to the business is far from uncommon, even in the highly regulated world of financial services.
Visibility is key to extending cybersecurity and improving resilience across the business
It’s essential to not only understand what assets form part of this great ‘hidden infrastructure’, but also recognise their role in the business, who has access to them and what access they have themselves. The problem being that ‘traditional’ IT security tools, policies and processes are unlikely to achieve this ‘what, where, who and how’ requirement when we are talking about IoT. This could be IoT in the supply chain, security cameras or even heating controls; things that may be managed by external contractors but still form part of the ever-expanding attack surface of your business.
Information and operation technology convergence plus business networking and control systems bumping boundaries are all great for the digital transformation of financial organisations like any other; and like any other, they also introduce additional cyber risk. What’s needed, therefore, is an asset map that can keep track of every device, auditing and validating every environment across the business in real-time. Cyber threats can better be detected and mitigated by gaining a unified and multidimensional view of every asset, including those previously unseen or undermanaged. Such absolute visibility is required to provide clarity when it comes to reducing your exposure to risk.
However, the solution also needs to be passive so as not to have the potential to disrupt day-to-day operations while also offering integration with existing tools. Think of this as cyber-asset intelligence, discovering and identifying true risk so as to provide proactive threat mitigation. It’s a different way of thinking than the norm, but perhaps now is the time we all need to be thinking differently about cybersecurity, risk, and resilience.