THE BLOG
12/11/2013 08:28 GMT | Updated 23/01/2014 18:58 GMT

Testing Times for UK Banks

Back in June I wrote here in the Huffington Post about the US Quantum Dawn 2 programme when the US authorities were testing major Wall Street institutions as to their preparedness to face the cybercrime threat.

Organized by a number of US Federal Departments including the Department of Homeland Security and the Securities and Exchange Commission, the cyber drill aimed to test just how well these companies and organizations react and collaborate in order to protect their cyber assets.

I applauded this action and wonder why other Governments do not do something similar.

Well it seems that this week there is news that the UK's Financial Policy Committee (FPC) is running a similar project called Operation Waking Shark which will test UK banks and how prepared they are to face a concerted cyberattack.

Of course Operation Waking Shark is an exercise, rather than a test - so there won't be any losers or winners, per se - and as the old adage goes, failing to plan is planning to fail. That said, when it comes to cyber security you have a living, breathing adversary on the other side - and this makes it hard to predict what might be coming at you. Regular testing of cybersecurity defences is critical to ensure your defences are as robust as they can possibly be.

It's a fact that for many organisations it's not "if" but "when" a breach will happen. Organisations should start by asking themselves "what would I do differently if I knew I was going to be compromised?" and then build their security strategy to address this scenario. Furthermore, organisations shouldn't obsess on "who" is attacking them from "where", but keep focused on the threats themselves along with their effective remediation. This way they can better protect themselves when the inevitable happens.

Judging by media stories and what we hear from our own customers in some of the world's major financial institutions, cyber attacks on critical infrastructure are continually happening. Increasingly organisations realize that the 'rules' of the game have changed and whether it is state sponsored attacks, activism or 'good old' financial gain that motivates the cyber attackers, it is now not a question of if you get attacked, but when it will happen.

For years the cyber security industry has talked about the latest silver bullet that will protect against the latest threat. But the sad fact is despite millions of pounds being spent to protect institutions around the world, cyber attacks seemingly continue day after day.

So in order to protect against cyber attack, organisations must think like an attacker. They have to recognize that the cybercriminals who carry out today's attacks are professionals. They are well funded, well resourced and they bring in the right expertise to do the job they are paid to do. They are often in it for the long game and they will work for days, weeks, months or even years to find a weak link and exploit it.

After all this is a multi-million dollar, perhaps multi-billion dollar, business and it is time we as business and Government leaders saw it as such and not simply childhood pranks by misguided and bored youths.

Practice makes perfect - as the saying goes, and so we as the cyber security community need to practice and ensure we have the processes and procedures in place so when the inevitable happens, we are ready and can mitigate the damages caused. Only then can we know that we have the best defences in place and the best network intelligence available to ensure that our businesses are not making the news headlines for the wrong reasons in future.