The UK’s financial firms will face a major stress test of their security systems today in order to tell how strong they are in the face of a cyber attack.
According to Reuters, the “Waking Shark II” test will bombard firms with a series of announcements and scenarios, such as how a major attack on computer systems might hit stock exchanges and unfold on social media. It will be co-ordinated from a single room housing regulators, government officials and staff from banks and other financial firms.
Simulations are likely to include how high street and investment banks ensure the availability of cash from ATM machines or deal with a liquidity squeeze in the wholesale market and how well firms communicate and coordinate with authorities and each other.
According to Security Watch, the first event in 2011 engaged over 100 people from across 33 organisations spread across the realms of financial services, infrastructure providers and the financial providers and simulated a cyber attack across the breadth of financial services, including wholesale and retail payments and online services.
Barry Shteiman, director of security strategy at Imperva, commended coordinators the Bank of England, the Treasury and Financial Conduct Authority, for what he called a “great idea”.
“In the past few years, we’ve seen some focused and proactive security programs in the UK. Having a committee planning security controls, cyber attack response steps and a high-level protection plan is an important initiative. This means that the different financial cyber security heads in the UK can join forces to strategically plan how to mitigate potential cyber threats,” he said.
“This also means that the government will potentially have a way to regulate and measure the cyber security state based on an educated study of best practices, which will lead to businesses (and individual’s) financial information and estates to be secured in a much more focused way.
Graham Welch, EMEA managing director of Sourcefire, said: “Operation Waking Shark 2 is an exercise, rather than a test – so there won’t be any losers or winners, per se – and as the old adage goes, failing to plan is planning to fail. That said, when it comes to cyber security you have a living, breathing adversary on the other side – and this makes it hard to predict what might be coming at you. Regular testing of cyber security defences is critical to ensure your defences are as robust as they can possibly be.”
Jon French, security analyst at AppRiver, said: “It’s not a bad idea to participate in a war games effort for a cyber security threat. With cyber attacks becoming a more common occurrence for many businesses, it’s important to stay on top of information security; this means focusing efforts on preventing breaches and attacks as well as testing disaster plans that are in place.
“Running through war game scenarios can help people remember and know what to do in case of a real issue. Likewise, it can provide valuable feedback to those who write and maintain the protocols so they can refine and fix any issues with the current policies in pl
ace.
ace.
“There are many attacks and vectors to look at before carrying out these games- so many that it would be impossible to prepare for them all. That’s why it is critical for security teams to not only think of different breach scenarios, but to also implement a set of policies that deals with issues when/if they arise. The effort put in to the simulations can possibly outweigh being caught off guard and unprepared for any real threats in the future.”
Ross Brewer, vice president and managing director for international markets at LogRhythm, said: “Earlier this year, the Bank of England’s director of financial stability, Andrew Haldane, admitted that the threat of a cyber attack has overtaken the euro zone crisis as the main concern for British banks. It’s therefore a positive step that the financial services industry is taking a proactive approach and testing its defences – both in terms of infrastructure and staff.
“We are all well aware of the threat posed by a cyber attack in theory; however the practice of a large scale attack on national systems could be a very different matter.”
