How Helpful Will EU Testing of Banks’ Cyber-Security be?

With recent news that the EU is contemplating plans to test banks’ ability to repel cyber-attacks, thereby mirroring current measures put in place by the Bank of England, Lawyer Monthly hears from Mike Allison, Global IT Security Manager at RGL Forensics, who here voices his thoughts on the potential ramifications, and future of the European Union’s program engagements.

Information Security is continuing to be a significant area of concern in businesses all the way up to the C-Suite with daily campaigns launched by cyber criminals against organisations across the globe. Organisations are finding themselves having to confront difficulties that previously would have been pushed to the back of the priority queue, or simply ignored. Governments and political organisations are now stepping in, feeling that the industries previously left to fend for themselves now need active assistance and formalised guidance. Strategies to date within large-scale companies have frequently involved paying fines, relating to cyber breaches, instead of remediating the gaps in their security. Gambling on a possible one-off financial penalty is seen as the cheaper alternative to continual investment given that, even after attention, systems may remain vulnerable.

Perceived low financial penalties are in part the drive for the impending European General Data Protection Regulation (GDPR), which increases maximum fines to €20 million or 4% of global turnover. As effective as this may be, in a way all this does is force a revaluation of the balance of risk within companies, and may still result in some security holes remaining exposed.

This may have less impact in smaller companies, however, just like a nuclear power station, banks could be viewed as critical national infrastructure. The failure of a bank would be a major incident and have far-reaching ramifications. With cyber terrorism and state-sponsored cyber-attacks being taken into consideration, the European Union will be trying to ensure it protects itself from actions that could result in the loss of ability to make financial transactions and recall historical financial records.

The UK government, for example, has been increasing its involvement in the corporate cyber security space for a number of years. The Government Communications Headquarters (GCHQ) started with programs to protect and monitor the security of UK critical national infrastructure and other relevant companies working as sub-contractors on government projects. Over time, with a large number of breaches affecting companies further down the supply chain, encouraging as many organisations as possible to share cyber-attack and breach information became good practice. This led to the Cyber Information Sharing Partnership (CISP) that went on to be absorbed into the new National Cyber Security Centre (NCSC) along with CERT-UK (Computer Emergency Readiness Team UK).

Projects such as these, as valuable as they are, do require an element of audience participation. Organisations can choose to be a part of the ‘self-help’ community, and many now do. But, when confronting corporate apathy, mandating the taking of action becomes the only way to ensure adequate attention in an area of concern. Nothing leads to a flurry of activity quicker than showing technical staff a report of their system vulnerabilities, and business managers a definitive list of clearly expressed threats to their continuing successful business activities. This is why recognised certifications often include activities such as penetration testing within their specification. External penetration testing provides an unbiased assessment of an organisation’s exposure to external threats. However, there are many types of system, and therefore many types of threats, and testing for every threat can become very time-consuming. Penetration tests are only valid for the moment conducted as new threats emerge in generic hardware and software daily. In addition, organisations developing in-house information systems find it is impossible to keep up to date with new bugs as they find them in their own software. If security was the primary focus of a company, this could affect time to market for the delivery of its products or services and force another compromise.

In part to address these issues within the UK, the Financial Policy Committee (FPC) at the Bank of England requested that The Treasury, in conjunction with relevant UK regulators, should work with the UK financial community to help improve and test cyber security within the UK banking system.

The UK financial authorities then worked with the Council for Registered Ethical Security Testers (CREST) to design a testing framework for banks. The new Bank of England Cyber Security Framework (CBEST) was designed to focus on dealing with real threats through intelligence-led testing strategies. Rather than asking banks to plough resources into system security blindly, it acts as a lens to focus their efforts in the right places. It does not replace other frameworks, such as ISO27000 and PCI-DSS, but it does outline testing methodologies that include assessing IT systems, people and processes. It also provides specific certified framework training for testers. Adopting the framework is currently voluntary, and no preparation work is required prior to stepping into the framework, thus minimising the potential for organisations to put it off.

Recommendations and requirements are yet to come out of the EU in relation to these matters. However, if the trend is anything like within the UK, we should expect to see more EU security programs that attempt to engage organisations in an empathetic and helpful way. Large scale random testing of the entire EU banking system is relatively impractical, if not simply prohibitively expensive, and would only provide a snapshot in time. Encouraging ongoing positive change is the order of the day. Developing tactical ability within organisations through the concept of ‘knowing your enemy’ appears to be the most important thing. With increased cooperation and refocusing of efforts, the banking sector needs be able to protect itself from the large-scale attacks that we can all imagine featured in the next blockbuster film.

With regards to transparency, reporting the findings of any testing to the public is probably counterproductive or misleading at best. There are security holes in any system and it only needs a single one exploited for data to go missing. Giving an organisation an A* or equivalent safety rating is not a guarantee that they will never suffer a breach – only an indication that their risk level is at a lower level than other organisations. With banks having such widespread infrastructure, it is difficult to secure every far-reaching part of their network to the same degree. Everything may be OK until that one thing that no one expected to happen actually happens. This, coupled with the large number of people that work for an organisation as large as a bank, means that data could be lost simply from human error. The individual could even be highly trained, but a genuine mistake made nevertheless.

We must remember, in a consumer-led world, it is difficult to expect any commercial enterprise to embrace security when it has a negative effect on its bottom line. In addition, if one company invests in security and another does not there may be commercial advantage for the one that saves its budget, as long as it does not fall victim to an attack. Governments are beginning to step in, pushing for emphasis on creating quality products and services that are secure by design, and less on meeting today’s demands. This is helpful – but not a fail-safe – as it means organisations must now show that they are giving cyber security the attention it deserves. How each EU bank does that is down to them… at least for the moment.