British Bankers See Supplier Risks
Financial Services Cybersecurity Summit Identifies ThreatsKey figures trusted with defending and safeguarding the British financial services sector gathered earlier this month in a subterranean London conference room. Their challenge: To identify better ways to secure the British banking sector against cyber-attackers.
See Also: Webinar | Prisma Access Browser: Boosting Security for Browser-Based Work
Behind the speakers, through a glass window, lay the ruins of the City of Londinium Wall, above which the conference venue was built. Constructed by the Romans circa AD 200 and originally 20 feet high and with a width of 8 feet, the crumbling stones are a reminder that even state-of-the-art defenses didn't prevent the fall of an empire.
Some defenses are better than others. But which ones count most?
Working the Angles
At the U.K. Financial Services Cybersecurity Summit, one European Commission official said that while the British banking sector's information security practices are well-regarded, two proposed EU initiatives - the "data protection regulation" and especially the "network and information security directive" - would apply equally to businesses across the EU. The reasoning: Many other countries' financial services sectors don't practice security as well as do big British banks, but you can't regulate the laggards and not the leaders.
But a senior British banking regulator promised that the U.K. government doesn't think the banking sector needs any new regulations. The regulator would appreciate it, however, if the bigger players helped to better defend the smaller ones, he stressed. "There is no competitive advantage to not be gained by not sharing threat intelligence," he said, illustrating that out of three negatives can come a positive.
Conference participants, as at so many information security gatherings of late, kept returning to the topic of threat intelligence, and the potential upsides to be gained by receiving threat intelligence from others - big banks, security firms, governments - and finally cracking the "dark Internet."
What happens, however, when one of the chief threats isn't external, but from within? The British banking sector comprises about 200 banks and 70 associated firms, and some have better information security practices than others. "Perhaps 35 to 40 banks have very significant controls in this area and are working very closely with the government," one industry official said. "However, we have to think about 200 banks."
In fact, what was especially notable at a summit that kept focusing on big-picture questions and next-generation solutions is just how much these businesses are relying on quite small organizations for clearing payments or providing other essential infrastructure services.
One financial crime expert listed the top-three threats facing the sector: insider threats, "massive political instability," and "weaknesses in suppliers' controls."
Monitoring Suppliers
An attorney suggested that businesses obtain written information security assurances from their suppliers large and small, backed up by regular audits conducted by external firms.
But such assurances only go so far toward preventing a failure in security controls, especially inside smaller organizations. Such failures could open the door to cyber-attacks that bring trades to a halt and disrupt markets, or give criminals a back door into the network of a larger organization. Participants at the conference were aware of how the latter reportedly occurred in the breach of U.S. retailer Target. Attackers accessed Target's network by first hacking into systems of one of its contractors.
"This had everyone thinking about managing security supply chain risks," said attorney John Salmon, who chaired the summit. He heads the financial services sector team at law firm Pinsent Masons. "But ... it did not seem clear that enough in the industry are taking technology supply chain cyber risk seriously."
Essential Step
If there's one overriding takeaway from the financial services security summit, it's that while threat intelligence may help businesses better secure themselves in the future, tackling the supplier problem is one sure-fire way to better safeguard yourself in the present.
Or to revisit Rome: Whether your metaphor concerns lots of walls, or layers, don't just worry about the ones you build and maintain. Also worry about the ones that are out there, and which you can't see, but on which you're relying. Before learning how others might knock them down or break them, first find them. And keep checking to see if they're still there.