- Contact: Katie Wise
- Tel: 0207 520 5904
- Created date: 10 February 2016
A guest blog by Martin Tyley, KPMG Partner and Cyber Lead in the North
We live in a world where we expect tailored interactive services to be at our fingertips. The concept of going to a library to look something up in an Encyclopaedia is now alien to a generation – Teletext, the old source of instant information, is a distant memory.
Building Societies have to adapt, making more information and services available to members. The very nature of real-time information and greater service offerings is an increased interest from those seeking to gain financially or wanting to cause disruption.
90% of large organisations in HM Government’s 2015 Information Security Breaches Survey indicated they’d had a breach – more stories reach us every day and it appears the situation is getting worse. Whilst some breaches remain fairly unsophisticated, and could be easily prevented, we are also seeing an increase in serious organised crime and real sophistication making some attacks difficult to prevent. Press-worthy events are now at both ends of the scale.
As well as financial crime groups we are seeing state-sponsored attacks and illegal markets where security vulnerabilities and business data are traded openly and where attackers evade law enforcement by operating from the dark web. Ultimately cyber-attackers are becoming more proficient.
It isn’t only an IT problem. While prevention is always better than cure, Building Societies need to be able to quickly detect, respond and recover from attacks, often under public scrutiny. As a result, it’s critical that these preparations involve the whole business, not just the IT function.
What can we do to prepare?
Some organisations want to build a fortress around all data and all systems but this isn’t practical. All fortresses can be breached – there’s no such thing as 100 percent secure. Instead there has to be a balance between stopping the bad stuff from happening, knowing when it does, and knowing how to recover.
You will likely understand already the worst that can happen. Work through those breach scenarios, prioritise them, and then consider which controls would be most effective to mitigate the risks. It’s likely the controls won’t mitigate the risks altogether, but they may help to quickly initiate a response process which could significantly reduce the impact of the breach.
With regard to recovery, think about how you will manage and control the process and who will be involved, such as the communications and public relations teams, the legal team, agencies and perhaps external incident response/forensic teams too.
Trying to make these decisions while you’re under attack, when you’re not sure exactly what’s going on, is almost impossible and will inevitably lead to increased reputational damage.
As an industry we’re used to conducting business continuity testing, using defined plans and looking to improve after each test - the same approach should be taken when preparing for cyber-attacks. Run through scenarios regularly, use specialists who will challenge your assumptions, make use of recent examples to improve your scenarios and make sure the right parts of your business are involved.