Euro Security Watch with Mathew J. Schwartz

British Bankers See Supplier Risks

Financial Services Cybersecurity Summit Identifies Threats

Key figures trusted with defending and safeguarding the British financial services sector gathered earlier this month in a subterranean London conference room. Their challenge: To identify better ways to secure the British banking sector against cyber-attackers.

See Also: Webinar | Beyond Managed Security Services: SOC-as-a-Service for Financial Institutions

Behind the speakers, through a glass window, lay the ruins of the City of Londinium Wall, above which the conference venue was built. Constructed by the Romans circa AD 200 and originally 20 feet high and with a width of 8 feet, the crumbling stones are a reminder that even state-of-the-art defenses didn't prevent the fall of an empire.

An attorney suggested that businesses obtain written information security assurances from their suppliers large and small, backed up by regular audits conducted by external firms. 

Some defenses are better than others. But which ones count most?

Working the Angles

At the U.K. Financial Services Cybersecurity Summit, one European Commission official said that while the British banking sector's information security practices are well-regarded, two proposed EU initiatives - the "data protection regulation" and especially the "network and information security directive" - would apply equally to businesses across the EU. The reasoning: Many other countries' financial services sectors don't practice security as well as do big British banks, but you can't regulate the laggards and not the leaders.

But a senior British banking regulator promised that the U.K. government doesn't think the banking sector needs any new regulations. The regulator would appreciate it, however, if the bigger players helped to better defend the smaller ones, he stressed. "There is no competitive advantage to not be gained by not sharing threat intelligence," he said, illustrating that out of three negatives can come a positive.

Conference participants, as at so many information security gatherings of late, kept returning to the topic of threat intelligence, and the potential upsides to be gained by receiving threat intelligence from others - big banks, security firms, governments - and finally cracking the "dark Internet."

What happens, however, when one of the chief threats isn't external, but from within? The British banking sector comprises about 200 banks and 70 associated firms, and some have better information security practices than others. "Perhaps 35 to 40 banks have very significant controls in this area and are working very closely with the government," one industry official said. "However, we have to think about 200 banks."

In fact, what was especially notable at a summit that kept focusing on big-picture questions and next-generation solutions is just how much these businesses are relying on quite small organizations for clearing payments or providing other essential infrastructure services.

One financial crime expert listed the top-three threats facing the sector: insider threats, "massive political instability," and "weaknesses in suppliers' controls."

Monitoring Suppliers

An attorney suggested that businesses obtain written information security assurances from their suppliers large and small, backed up by regular audits conducted by external firms.

But such assurances only go so far toward preventing a failure in security controls, especially inside smaller organizations. Such failures could open the door to cyber-attacks that bring trades to a halt and disrupt markets, or give criminals a back door into the network of a larger organization. Participants at the conference were aware of how the latter reportedly occurred in the breach of U.S. retailer Target. Attackers accessed Target's network by first hacking into systems of one of its contractors.

"This had everyone thinking about managing security supply chain risks," said attorney John Salmon, who chaired the summit. He heads the financial services sector team at law firm Pinsent Masons. "But ... it did not seem clear that enough in the industry are taking technology supply chain cyber risk seriously."

Essential Step

If there's one overriding takeaway from the financial services security summit, it's that while threat intelligence may help businesses better secure themselves in the future, tackling the supplier problem is one sure-fire way to better safeguard yourself in the present.

Or to revisit Rome: Whether your metaphor concerns lots of walls, or layers, don't just worry about the ones you build and maintain. Also worry about the ones that are out there, and which you can't see, but on which you're relying. Before learning how others might knock them down or break them, first find them. And keep checking to see if they're still there.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.asia, you agree to our use of cookies.