FreeFoto
City simulates cyber attacks
Detica's Henry Harrison describes the industry-wide acknowledgement of how high cyber risk has climbed up the priority list for financial institutions, when the FSA, Bank of England and Treasury teamed up to create a simulated cyber attack exercise for the UK's banks.
The lengthy list of high profile public and private sector organisations falling victim to cyber crime keeps on growing, and given the reliance of the UK's critical national infrastructure on cyber space, one certainty this year is that organisations' exposure to cyber threats is going to increase.
Given the potential damage they are capable of inflicting, cyber attacks necessitate new approaches to assessing impact and managing risk, which is why it's encouraging to see the financial services sector take a lead with its simulated cyber attack. We must now hope that other sectors will follow suit.
The key to success with this sort of exercise is using sufficiently representative scenarios. This is as true for cyber attack scenarios as for financial disaster scenarios – while it is simple to imagine situations such as a total loss of communications, realistic scenarios should also include the loss of confidence in the integrity of data or key systems, or indeed the loss of confidence in the confidentiality of communications between different players in the system.
When considering impacts of such potential magnitude to contend with, it's important that business leaders don't leave their risk managers or IT teams attempting to mitigate these cyber threats alone. Reassessing risk should involve the company board and company IT, security and risk personnel working together to properly calculate the different levels of risk posed in each scenario. Our white paper, called 'Enemy of the Gate,' includes five key questions that businesses must ask themselves when reappraising their cyber risk strategies. These are as follows:
1. What are the potential threats faced?
2. Which assets are most likely to be targeted?
3. What is the motivation of the attacker?
4. What is the potential business impact?
5. Which assets require the highest level of protection?
These questions are designed to help businesses prioritise risk, as security specialists need to be able to focus on protecting your organisation's most valuable assets, rather than being given an all-encompassing remit that it will be difficult to effectively manage and support.
Board-driven risk assessment is needed to determine the true level of risk faced, and while this may still require a technology solution, security solutions must be able to respond to business needs rather than being imposed on the business from the bottom-up. Irrespective of whether an organisation is part of the critical national infrastructure, or whether it is simply a successful firm with high value information assets, better risk understanding and management will in each case lead to better prioritisation of defences, better use of budgets and better use of resources.
Henry Harrison, Technical Director at BAE Systems Detica
