Businesses told to deliver greater cyber hygiene

The Bank of England has warned there is no end to the fight against cyber-crime, adding that firms need to up their basic cyber hygiene to keep attacks at bay.

Speaking at the City & Financial 8th Operational Resilience and Cyber Security Summit, Lyndon Nelson, deputy CEO at the Prudential Regulatory Authority and executive director, Regulatory Operations and Supervisory at the Bank of England, warned that for many risk managers the threat of cyber-attack kept them away at night.

“For many if cyber is not the number one risk in their risk register it is the fastest rising,” he said. “The advance of the cyber threat is also the main gateway that people go through for the consideration of the broader operational risk agenda.”

Nelson warned there is no operator of last resort function in Threadneedle Street and no facility that can take in an operationally paralysed bank on Friday and turn out a fully functioning bank on Sunday night ready to open the next day.

“This leaves an extensive agenda for collaborative responses between industry and the authorities,” he added. “We are making good progress in the number of working groups that have been set up to collectively and collaboratively address cyber risk. One of the early deliverables was the Financial Sector Cyber Collaboration Centre (FSCCC). Its mission is to be proactive in identifying, analysing, assessing, monitoring and coordinating activities to mitigate systemic risk and strengthen the resilience of the UK financial sector against cyber.”

Nelson said the bank had undergone significant stress testing and cyber threat exercises which whilst providing a clear indication of the strength of the market in combating the rising cyber threat also highlighted where the markets were still failing.

“Our testing and exercising have steadily demonstrated improvements in cyber resilience, but there are still too many instances of failures in what one might call basic cyber hygiene,” he added. “Examples of cyber hygiene issues include Shortcomings in vulnerability management and information storage, poor configuration of IT infrastructure and poor user account and password management.

“These issues are exhibited by both large and small firms and those from across the full range of IT infrastructure in terms of size, complexity, and budgetary resources.

“It is this inadequacy of cyber hygiene that lies at the root of over 80% of the successful cyber-attacks on firms.

“Unfortunately, we don’t have to look too far to see what can happen when controls lapse. The global wave of cyberattacks and data breaches that began in January this year after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. Estimates of the impact vary, but conservatively it impacted over 250,000 servers globally.

“Given the focus of CBEST (our threat-led penetration testing framework), the cyber stress test and our simulation exercises have been on the largest firms, which are capable of causing systemic risk, it is important for the PRA with its safety and soundness statutory objective to build tools to assess and mitigate cyber risk for smaller firms.”

He added: “We are working hard on developing a testing strategy and a framework that will allow us to increase the coverage and frequency of assessment. This will include a more approachable CBEST-style test that will be applicable for a wider range of firms. Also in tandem with the roll-out of the supervisory approach to operational resilience we hope to be reaching far more parts of the financial sector.

“In this past year we have also seen how the composition of attacks has shifted towards the exploitation of third-party/outsourced relationships. Usually this has been through ransomware attacks. We have always understood that as the financial sector increasingly pursues a more digital rather than analogue future, the vulnerability to cyber-attack increases.

“What the attacks on third parties have highlighted is the additional exposure created if that digital future is delivered through a patchwork of the firm’s own services and outsourced providers. In addition, where a third-party itself grows market share and a position of dominance it also becomes a source of systemic vulnerability.”

Nelson concluded by saying the fight against cyber threat had no end date.

“In truth the issue of cyber is not finite. There is no endpoint and no destination. A constant journey, where we will need to be alert and vigilant,” he added. “The good news though is that many, including the regulators, the government and the NCSC, will be taking that same journey with you.

“Many eyes make spotting vulnerabilities and threats much easier. Many hands make light work of tasks that need to be done. With such a collective effort let’s hope that make us all sleep easier in our beds.”