British banks on red alert for hackers | Fin24
  • SA Revenue Service

    The tax agency says a unit that tackles illicit financial flows has recovered R2.6bn since April 2019.

  • Eskom

    The power utility has brought back a former manager to head up its Kusile construction.

  • Zimbabwe

    The country has turned to UAE in hopes of selling a stake in its national oil company.


British banks on red alert for hackers

Nov 19 2014 19:16

London - In the next few months hackers will try to penetrate the cyber defences of Britain's major banks and steal information about millions of customers. But for once they'll be welcome.

Banks are on red alert after cyber criminals obtained details of 83 million clients from JPMorgan Chase this year and Britain's leading lenders have signed up for tests that let teams of certified hackers attack at will.

The cyber war games will mark a major escalation in how banks test defences in a high-stakes battle with criminals.

"It's the first time that banks are having their systems tested for security threats in a live environment as opposed to a simulated or isolated one," said Stephen Bonner, a partner in the cyber security team at KPMG.

Cyber crime costs the global economy $445bn a year and the bill is rising, according to the Center for Strategic and International Studies (CSIS), which said it damages trade, competitiveness and innovation across industries.

Banks are particularly vulnerable, despite spending hundreds of millions of dollars a year on cyber defences. Increasingly sophisticated criminals are trying to steal money or client data, cause havoc in financial markets or score political points.

"A defender has to block every possible route of entry and the attacker only has to find one. That's the position the banks are still in, the world is so connected now they have to look in every direction to protect themselves," said Paul Docherty, technical director at Portcullis Computer Security, a consultancy which has been accredited to run the tests.

Attack teams

The Bank of England is behind the initiative. In June, it outlined a new framework called CBEST for handling the growing cyber threat. It includes sharing intelligence from government agencies such as Britain's GCHQ with companies, and encouraging more intense testing of financial institutions.

In the first such move by a leading central bank, the Bank of England will set the guidelines but leave banks to agree with the firms carrying out the tests how far their "attack teams" can infiltrate bank systems.

An "attack team" would typically be four to six people, including a project manager and an attack specialist at the sharp end trying to breach systems. Only a few bank employees will be aware an attack is coming.

"It's taking examples of what we see out in the wilds in the threat landscape and applying those to realistic attack scenarios on financial firms," said Adrian Nish, head of cyber threat intelligence at BAE Systems Applied Intelligence .

CREST, which is responsible for accrediting firms to do cyber security testing in Britain, has approved four firms to run these so-called Simulated Targeted Attack and Response (STAR) services, and more are expected to be accredited soon, industry sources said. Besides Portcullis, BT Group, Context Information Security and Nettitude are the other three.

Britain's biggest banks are among more than 30 financial firms lining up to go through the STAR test.

Raise your game

Pilot tests have begun and the vast majority of institutions are expected to have completed the process by the end of 2015, one of the sources said. The tests will also involve insurance companies, financial exchanges and payments systems operators.

"The financial sector has realised it needs to up its game and this is the logical progress," said Docherty.

The test starts with a vulnerability assessment to spot where risks are and set out a plan to probe those areas. This is followed by security testing, or penetration testing, to try and exploit weaknesses during a process that could take 3-6 months.

Other key infrastructure industries such as energy, telecoms and defence could follow the Bank of England's CBEST plan.

London's Metropolitan Police last month launched a new cyber crime and fraud team that will have up to 500 officers. The City of London police has linked with the New York District Attorney's Office to bolster their defences and next year plan to deploy staff permanently in each other's offices.

CBEST aims to encourage information sharing between government agencies and companies, and between firms - who have been criticised for being slow to share information on dangers.

"For the last 20 or more years hackers, attackers and that community have been sharing information and selling things to each other whilst finding ways to co-exist and grow, whereas industry has been slow to embrace collaboration," said Docherty.

Andrew Gracie, the Bank's of England executive in charge of CBEST, warned in June he would take action against any bank that was inadequately prepared for the cyber threat. Some officials have said banks should face prosecution if they allow their systems to be breached.

britain  |  banking  |  cyber crime


Read Fin24’s Comments Policy publishes all comments posted on articles provided that they adhere to our Comments Policy. Should you wish to report a comment for editorial review, please do so by clicking the 'Report Comment' button to the right of each comment.

Comment on this story
Comments have been closed for this article.

Company Snapshot

Voting Booth

How concerned are you about ransomware attacks?

Previous results · Suggest a vote