Search

Brian Pennington

A blog about Cyber Security & Compliance

Month

November 2013

UK banks and financial market infrastructures have experienced cyber attacks

In the Bank of England’s 2013 H2 Systemic Risk Survey Banks and Financial organisation highlighted operational risk as one of the main risks to UK financial stability.

The majority of the respondents cited cyber-attacks from individuals or groups seeking to exploit vulnerabilities in IT systems for financial gain or to disrupt services as a significant threat.

The report states In the past six months, several UK banks and financial market infrastructures have experienced cyber attacks, some of which have disrupted services. While losses have been small relative to UK banks’ operational risk capital requirements, they have revealed vulnerabilities. If these vulnerabilities were exploited to disrupt services, then the cost to the financial system could be significant and borne by a large number of institutions

In June 2013 the bank of England said:

HM Treasury, working with the relevant government agencies, the PRA, the Bank’s financial market infrastructure supervisors and the FCA should work with the core UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber attack

Perceived Risks from Cyber Attacks have risen strongly

Bank of England Chart

HM Treasury, other government agencies and financial authorities have formed a Cross Market Operational Resilience Group who will work to assess, test and improve cyber resilience across the core parts of the UK financial sector.

On the 12 November, under the supervision of the Cross Market Operational Resilience Group, an exercise called Waking Shark II took place to test the financial sector’s response to a sustained and intensive cyber attack It was an industry led exercise; supported by HM Treasury, the Bank of England and the FCA and several other government agencies. The report on the outcomes and lessons will be issued in early 2014.

Advertisements

Challenges to maintaining a strong security posture

A very interesting piece of research by the Ponemon Institute on behalf of the security vendor Sophos.  A summary of the study is below. 

Cyber security is often not a priority

  • 58% of respondents say that management does not see cyber-attacks as a significant risk
  • 44% say a strong security posture is not a priority.
  • Those two findings reveal the difficulty IT functions face in securing the necessary funding for skilled personnel and technologies. As evidence, 42% of respondents say their budget is not adequate for achieving an effective security posture.
  • While an organization’s IT leaders often depend upon the need to comply with regulations and compliance to make their case for IT security funding, 51% of respondents say it does not lead to a stronger security posture. More important is obtaining management’s support for making security a priority.

Senior management rarely makes decisions about IT security

Who is responsible for determining IT Security Priorities?

  • CIO 32%
  • 31% no one

Lack of in-house expertise hinders the achievement of a strong security posture

  • Organizations represented in this research face a lack of skilled and expert security professionals to manage risks and vulnerabilities. Only 26% of respondents say they have sufficient expertise, with 15% not sure. On average, three employees are fully dedicated to IT security.

Security threats and attacks experienced

“Did our organization have a cyber-attack? I don’t really know.” When asked if they were attacked in the past 12 months

  • 42% of respondents say they were
  • 33% are unsure
  • 1/3 of respondents say they are unsure if an attack has occurred in the past 12 months
  • Of the 42% who say an attack occurred, most likely it was likely the result of phishing and social engineering, denial of service and botnets and advanced malware/zero day attacks.

Data breach incidents are known with greater certainty

More respondents can say with certainty that a data breach occurred in their organization. For purposes of the research, a data breach is the loss or theft of sensitive information about customers, employees, business partners and other third parties. 51% say their organization experienced an incident involving the loss or exposure of sensitive information in the past 12 months although 16% say they are unsure.

More than half of respondents say their organization has had a data breach

  • 51% Cited is a third-party mistake or negligent employee or contractor
  • 44% cannot identify the root cause.

Most organizations say cyber-attacks are increasing or there is no change

  • 76% of respondents say their organizations face more cyber-attacks or at least the same
  • 18% are unable to determine

Most organizations see cyber-attacks as becoming more sophisticated

  • 56% say cyber-attacks are more sophisticated
  • 45% say they are becoming more severe
  • 28% of respondents are uncertain if their organizations are being targeted
  • 25% are unsure if the attacks are more sophisticated
  • 23% do not know if these attacks are becoming more severe.

The research reveals there is often confusion as to what best describes advanced persistent threats (APT). When asked to select the one term that best fits their understanding, only one-third of respondents say they are recurrent low profile targeted attacks but the same percentage of respondents are not sure how to describe them. As a result, there may be uncertainty as to what dedicated technologies are necessary for preventing them.

Disruptive technology trends

The cloud is important to business operations

  • 72% of respondents do not view security concerns as a significant impediment to cloud adoption within their organizations
  • 77% say the use of cloud applications and IT infrastructure services will increase or stay the same
  • 39% of their organization’s total IT needs are now fulfilled by cloud applications and/or infrastructure services

The use of cloud applications and IT infrastructure is not believed to reduce security

Effectiveness

  • 45% of respondents say the cloud is not considered to have an affect on security posture
  • 12% say it would actually diminish security posture
  • 25% of respondents say they cannot determine if the organization’s security effectiveness would be affected

The use of mobile devices to access business-critical applications will increase

  • 46% of an organization’s business-critical applications are accessed from mobile devices such as smart phones, tablets and others.
  • 69% of respondents expect this usage to increase over the next 12 months.

While respondents do not seem to be worried about cloud security, mobile device security is a concern.

  • 50% of respondents say such use diminishes an organization’s security posture
  • 58% say security concerns are not stopping the adoption of tablets and smart phones within their organization.

BYOD also affects the security posture

  • 26% of mobile devices owned by employees are used to access business-critical applications.
  • 70% of respondents either expect their use to increase or stay the same
  • 71% say security concerns do not seem to be a significant impediment to the adoption of BYOD

BYOD is a concern for respondents

  • 32% say there is no affect on security posture
  • 45% of respondents believe BYOD diminishes an organization’s security effectiveness.

Effectiveness of security technologies

The majority of respondents have faith in their security technologies

  • 54% of respondents say the security technologies currently used by their organization are effective in detecting and blocking most cyber attacks
  • 23% are unsure

Big data analytics and web application firewalls are technologies growing in demand

Today, the top three technologies in use are:

  1. Antivirus
  2. client firewalls
  3. endpoint management

They are likely to remain the top choice over the next three years. The deployment of certain technologies is expected to grow significantly. Investment in big data analytics and web application firewalls will see the greatest increases (28% and 21%, respectively). These technologies are followed by: endpoint management (19% increase), anti-virus and next generation firewalls (both15% increase) and network traffic intelligence and unified threat management (both 14% increase). The percentage of respondents who say the use of IDS and SIEM technologies decreases slightly (6%) over the next three years.

The cost impact of disruptions and damages to IT assets and infrastructure

Damage or theft to IT assets and infrastructure are costly

  1. 1 the cost of damage or theft to IT assets and infrastructure
  2. 2 the cost of disruption to normal operations

The estimated cost of disruption exceeds the cost of damages or theft of IT assets and infrastructure.

Using an extrapolation, we compute an average cost of $670,914 relating to incidents to their IT assets and infrastructure over the past 12 months. Disruption costs are much higher, with an extrapolated average of $937,197

The uncertainty security index

The study reveals that in many instances IT and IT security practitioners participating in this research are uncertain about their organization’s security strategy and the threats they face. Specifically, among participants there is a high degree of uncertainty about the following issues:

  • Did their organization have a cyber-attack during the past year?
  • Did their organization have a data breach? If so, did it involve the loss or exposure of sensitive information?
  • Are the root causes of these data breaches known?
  • Are the cyber-attacks against their organization increasing or decreasing?
  • Have exploits and malware evaded their intrusion detection systems and anti-virus solutions?
  • Do they understand the nature of advanced persistent threats (APTs)?
  • Is the use of BYOD to access business critical applications increasing and does it affect their organization’s security posture?
  • Is the use of cloud applications and/or IT infrastructure services increasing and does it affect the security posture

Uncertainty about how these issues affect an organization’s security posture could lead to making sub-optimal decisions about a security strategy. It also makes it difficult to communicate the business case for investing in the necessary expertise and technologies. Based on the responses to 12 survey questions, we were able to create an “uncertainty index” or score that measures where the highest uncertainty exists. The index ranges from 10 (greatest uncertainty) to 1 (no uncertainty).

U.S. organizations have the highest uncertainty index. This is based on the aggregated results of respondents in the following countries and regions: US, UK, Germany and Asia-Pacific. With an uncertainty score of 3.8, organizations in Germany seem to have the best understanding of their security risks.

Smaller organizations have the most uncertainty. Those organizations with a headcount of less than 100 have the most uncertainty. This is probably due to the lack of in-house expertise. As organizational size increases, the uncertainty index becomes more favourable.

An organization’s leadership team has the most uncertainty. This finding indicates why IT and IT security practitioners say their management is not making cyber security a priority. Based on this finding, the higher the position the more removed the individual could be in understanding the organization’s risk and strategy.

Retailing, education & research and entertainment have the highest uncertainty. The level of uncertainty drops significantly for organizations in the financial services and technology sectors. The high degree of certainty in the financial sector can be attributed to the need to comply with data security regulations.

Lloyds Risk Index has Cyber Risk rising from 12th to 3rd place

Lloyds Risk Index – top 10

Employees and Companies Not Taking BYOD Security Seriously

For the second year in a row, Coalfire examined the BYOD trend for interconnected employees and what it means for companies and the protection of their corporate data. Most organizations want the increase in productivity that mobile devices offer, but the majority do not provide company-owned tablets or mobile phones as a cost-saving measure. Employees who want to use these devices must buy their own and are all too often left to secure potentially private information themselves.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: