When UK mortgage lender Northern Rock sought emergency support from the Bank of England in September 2007, it sparked widespread panic, with savers queuing up outside branches all over the country to withdraw their cash. Queues outside banks became an enduring image of the ensuing financial crisis, repeated across the globe as institution after institution followed Northern Rock into near bankruptcy and in search of a bail-out.</p> Since the crisis, policy-makers and regulators have focused on ensuring banks have sufficient capital and liquid assets to avoid collapse or bail-out in the future. But a growing school of thought suggests they may have become too single-minded: could the next bank failure be caused, not by a credit bubble, but by cyber-attack?</p> “The emerging threat for banks is that cyber-crime is becoming ever more sophisticated in taking money away from banks and customers. I can’t help thinking that the attacks will become so frequent over the next five years that they will cause at least one major bank to go under – not just because of sustained attack but the loss of reputation that goes with it, accelerated by social media,” says Richard Benham, professor in residence at the UK National Cyber Skills Centre and founder of the national MBA in cyber-security, a new UK qualification designed to help business leaders deal with the cyber-threat.</p> Employee education</strong></p> The term cyber-crime can cover a wide range of attacks, from a minor internal security lapse to a massive organised theft of data. In the UK alone, 90% of large organisations reported this year that they had suffered a security breach, up from 81% a year ago. The average cost of the worst security breach now ranges from £1.46 million to £3.14 million, according to an annual survey conducted by PwC, a step change from the £600,000-£1.15 million reported 12 months previously.</p> While it is only the most high-profile attacks that are reported in the press, experts believe the vast majority of companies are likely to have suffered some kind of attack by now. A lack of adequate governance or staff training can often be responsible for even the most minor data breach; the PwC survey found that 50% of the worst breaches over the past year had been caused by inadvertent human error.</p> “With the threat environment we face today, it is so important that the workforce of any company understands the nature of the cyber-threat and is properly trained to avoid putting the infrastructure at risk,” says Dr Starnes Walker, founding director of the University of Delaware Cyber Security Initiative.</p> Education of staff is widely seen to be a priority in dealing with cyber-threats, because if employees can be trained to detect and eliminate possible threats, they can avoid significant harm being caused. But for banks that run multiple businesses with thousands of employees across the globe, pitching the message appropriately can be a challenge.</p> The priority, says Chris Hurran, senior associate fellow at the Institute for Security and Resilience Studies at University College London, is to put security at the heart of the business process rather than as a retrospective add-on. Having a clear strategy and governance structure in place to deal with breaches is also critical, he adds.</p> “Technology is absolutely at the heart of the solution to this and the chief information security officer will play a key role, but it’s ultimately the responsibility of the business to make sure that security protocols are taken seriously and properly communicated to all employees,” Hurran explains.</p> Benham also stresses the importance of a company-wide response, asserting that cyber-security risks being marginalised if regarded as a pure IT issue. “Finance is increasingly becoming a digital industry so banks have to protect their biggest assets, which are their data and their reputation. That is too significant to be branded as an IT issue – board members and middle managers have to take it seriously,” he says.</p> Technology is part of the problem and the solution. When it comes to protecting IT architecture from external penetration, the biggest challenge may lie in the sheer number of systems that banks tend to rely on to conduct their operations across businesses and asset classes. Walker stresses the need to rigorously test each and every system before putting it into action, using both internal and external experts. Benham says: “It is critical to ensure that systems are properly vetted before being placed on a network so that any potential vulnerabilities are well understood and dealt with in advance. Using a ‘red team’ allows external experts to find weaknesses that may not have been detected during an internal IT build.”</p> Ensuring business continuity</strong></p> Such is the probability of banks coming under of regular cyber-attack that Walker advocates having effective business continuity plans in place to enable them to continue to operate under attack. “Banks have to be able to develop and implement capabilities to enhance the resilience of business network operations and ensure a continuity of operation plan is in place as a measure of a layered cyber-defence strategy to minimise shareholder losses from a cyber-attack,” he says.</p> As the cyber-threat continues to grow and evolve, banks collectively and individually will have to evaluate strategies to protect themselves, their customers and their shareholders. Tackling internal deficiencies in governance and staff awareness is likely to be the first step in raising defences, but Troy Pugh, leader of the IBM Counter Fraud Intelligence Unit, believes greater government support and cross-border cooperation is needed if the threat is to be properly eliminated.</p> “Cyber-crime is a chaotic environment in which a wide variety of actors are trying to gain access to systems and information for a wide variety of purposes. Even though we face a very real threat, the challenge is that the government has left the private sector on its own and there is no consolidated effort to share intelligence. Technology and education can certainly help, but this is a war and we have to do a better job at collaborating to tackle it,” he says.</p>