A spate of cyber attacks on UK banks and a sudden upsurge in the number of banks seeing the cyber threat as a major risk have been revealed in a new Bank Of England report.
The findings have led to warnings by cyber experts that the UK banking system remains vulnerable and that “even our great financial institutions have some way to go in securing vital systems and information".
The Bank of England's November ‘Financial Stability Report' says that the number of banks who see cyber attacks as a key risk to UK financial stability has more than doubled between the first and second halves of this year, rising to around 14 percent of banks.
Their fears are justified, the report says as: “In the past six months, several UK banks and financial market infrastructures have experienced cyber attacks, some of which have disrupted services.”
The report also accepts the UK banking sector is particularly open to the cyber risk because of its inter-dependent nature and ageing technology: “The financial system has a number of potential vulnerabilities to cyber attack, reflecting its high degree of interconnectedness, its reliance on centralised market infrastructure, and its sometimes complex legacy IT systems,” the report says.
The report's findings have prompted a warning from Independent cyber crime expert Mike Loginov, CEO of cyber security specialist Ascot Barclay Group, that many banks have done too little to react to the growing cyber threat - and will already have been compromised without knowing it.
Loginov told SCMagazineUK.com: “This is a clear indicator that the level of threat sophistication against our banking and financial infrastructure continues to grow. As a result many if not all banks will have been compromised to a level that has yet to be uncovered.
He added: “The banking and financial sector is critical to the national infrastructure and this sector is often used as a benchmark across industry as leading the way against cyber crime. This report makes it clear that even our great financial institutions have some way to go in securing vital systems and information."
The ‘systemic' threat to the UK banking and payments system is recognised in the report: “While losses have been small relative to UK banks' operational risk capital requirements, they have revealed vulnerabilities. If these vulnerabilities were exploited to disrupt services, then the cost to the financial system could be significant and borne by a large number of institutions,” it says.
It was this threat that led the Bank of England to order the widely reported 12 November test of the financial sector's ability to withstand a sustained cyber attack, known as Waking Shark II.
The Bank's latest report confirms that the results of Waking Shark II will be published in early 2014 and shared across the financial sector, but early comments from participants suggest that a major learning from the exercise was that the interconnectedness of the sector called for greater cooperation between competitors at an earlier stage – which is not there yet.
“Security people are told not to share and financial people don't share information with competitors, so getting them to tell others that they were under attack was not easy. The environment did allow anonymous reporting of being under attack, as the earlier it was reported, the more valuable the information,” Ashley Jellyman, Head of Information Assurance at BT, which provided infrastructure for Waking Shark, as well as being a participant, told SCMagazineUK.com.
Jellyman added, “We have seen companies refuse to contribute until others have done so first, but if you don't share it doesn't work. Unless you contribute, you can't see what's happening so don't get the benefit. The more cyber-aware companies with dedicated cyber analysts still need to see what's happening, and by seeing attacks in others you can identify them in your own network. There will be a meeting on December 11th to decide the date and direction of any follow-up exercise.”
To deal with these various kinds of cyber threat, Mike Loginov says banks must adopt more ‘active' rather than reactive technology. He told SCMagazineUK.com: “There is a wide acceptance across the cyber security community that we are most often reactively dealing with known threats and that with emerging technologies such as eDiscovery and data analytics, new threats will surface.”
His views are shared by other cyber specialist. Chris McIntosh, CEO of security and communications company ViaSat UK, told journalists in an emailed comment: “Rather than waiting for the next data breach to occur, the UK's banks need to realise that they have likely already been compromised and need to work back on this basis. Every organisation's network is at risk to the new species of threat and cyber security must reflect this. By identifying and treating the symptoms of an attack using network monitoring tools, rather than trying to immunise, banks can deal with threats as quickly as possible.”
Peter Armstrong, director of cyber security at Thales UK, added in an emailed comment sent to journalists: “It comes as little surprise that the combination of high inter-connectedness, reliance on centralised market infrastructure and complex legacy IT systems are leaving our banks vulnerable to cyber attacks. A holistic approach designed to tightly integrate cyber defences with processes, people and physical measures is crucial to ensure financial organisations are protected against the latest evolution of threat and attack vectors.”
* Meanwhile, at the individual cyber crime level, the Bank of England report's warnings coincide with the conviction at the Old Bailey last week of NatWest customer service adviser Hans Paterson-Mensah, 24, who allowed a fraudster to attach a device to the computer system at his branch in Staines. Paterson-Mensah was then able to make fake deposits totalling just over £1 million into 15 genuine customer accounts, from which he then made cash withdrawals. He was arrested after NatWest staff spotted the suspicious activity and stopped it before all of the money was taken. Paterson-Mensah will be sentenced on 20 December.