Five points of failure in recovering from an attack

An over emphasis on defense is leaving the financial sector exposed to cyber attack. An increase in threat levels has seen the sector bolster defenses by focusing on detection and attack response but recovery remains a fragmented process with little investment in cyber resilience.

Cyber resilience uses threat intelligence and existing internal resource to enable the organization to cope with the inevitable: a successful attack. Auriga has identified five key points of failure that are preventing organizations from implementing an effective Cyber Resilience strategy.

Top issues include board level engagement, the sharing of information, interdepartmental communication, roles and responsibilities and the testing of incident response all of which are key to aiding recovery.

Statistics suggest the likelihood of a breach is increasing. The number of attacks being carried out against the financial sector are said to number 3:1 compared to other industries, and 585 breaches were investigated by the Information Commissioner’s Office (ICO) last year. Cyber attack simulations and the pooling of threat intelligence have improved the security stance of many financial organizations but few have demonstrated effective cyber resilience which would enable the business to recover and resume normal business operations in the event of a breach.

Auriga’s warning echoes those expressed by The Bank of England in the recent Financial Stability Report (FSR) issued 1 July 2015 which identified the need for financial organizations to adopt a state of readiness to facilitate rapid recovery. The Financial Policy Committee has revised its recommendations in line with the FSR calling for regulators to conduct “a regular assessment of the resilience to cyber attacks of firms at the core of the financial system” with a report on the outcome of these assessments due to be published in summer 2016.

Financial sector organizations stand to benefit by addressing the issue of cyber resilience by reviewing current practice. Auriga has identified the following five potential points of failure that hamper recovery efforts:

1. Restricting information – Information is the lifeblood of effective threat intelligence. But while many organisations will have threat intelligence channels, with some even having dedicated threat intelligence teams, the way in which information is handled across the business is seldom examined. Information has to be defused if it is to be effective therefore processes need to be in place to ensure information flows via threat handling agents and out into the arteries of the business.

2. Static roles – Management of cyber response often falls under the remit of the CRO or CISO but many become confused over their role in the event of a breach. Should they enforce policy? Do they refer or take action? How should they cooperate with other departments? Allocate roles and responsibilities but also detail how these may change in different scenarios.

3. Outsourcing because of ignorance – A recent consultancy survey found only 41 percent of the 450 senior risk management respondents surveyed felt they had the skills needed to understand the impact of multiple digital technologies. Consequently, they sought external assistance from fraud experts and even hackers. Supplementing inhouse knowledge by importing expertise is advisable but be wary of who you approach and be clear on your objectives.

4. Shopping for scenarios – Avoid off-the-shelf scenario planning or ‘playbooks’. A playbook provides a plan on how the organisation will respond to and handle a given situation. Typically there will be a different playbook or contingency plan for each different attack scenario. These should be developed inhouse and specific to the company, its individual line of business and corporate structure, and aligned with the security policy.

5. Untested incident response – Most organisations will have an Incident Response (IR) plan but surprisingly few are put to the test. Stress bust testing can reveal bottlenecks created by communication issues and lengthy response times. Consider also have far the IR goes. Does it go beyond the IT team and involve the legal and corporate communications teams, for instance? How will recovery be aided both internally and externally by these teams?

“The financial sector is being subjected to an unprecedented number of attacks, across numerous vectors, motivated by a variety of intentions. Fending off every attack is simply not possible and yet the emphasis is continually placed solely on investing in more generic security protection based solutions; more emphasis needs to be placed on detection and response. There is a big difference between implementing good security countermeasures and implementing the right security countermeasures. Cyber attacks affecting your industry and organisation must inform your Cyber Defences” said James Henry, UK Southern Region Manager, Auriga.

More about

Don't miss