Firms must share cyber threat data with police in order to reduce the risk of being attacked, the Bank of England's former CISO believes.
The data should be anonymised to avoid reputations being tarnished, said Don Randall MBE who took on the roles of head of security and CISO at the Bank of England in 2008 but the method will provide police with crucial insight into cyber attacks.
Randall, who also has a background working with the City of London Police, has now joined law firm Bivonas to advise clients on regulatory and cyber risk challenges developing today.
He spoke with IT Pro for a Q&A on many cyber issues, at a time when the National Fraud Intelligence Bureau estimates web-based criminal activity to cost more than 670 million a year.
Hi Don. How necessary is stress-testing banks' security capabilities as a part of shoring up their defences against cyber criminals?
Stress testing is hugely important in assuring the community that the banks are able to withstand crisis, loss or attack. Stress testing gives an independent analysis of a bank's weaknesses, accountabilities and its capability to recover, which is an important insight when seeking to develop defences against cyber attack.
What do you think of IBM's creation of a platform sharing cyber threat data with other companies? How could this knowledge sharing improve cyber security measures generally?
As founder and chairman of the Sister Banks' and Project Griffin', I am a great believer in the importance of partnership and cooperation between the private and public sector in tackling cyber crime. If the authorities are to successfully combat cyber crime they need to have a true picture of the issue they face.
Knowledge of actual, attempted and suspected cyber attack is essential to the authorities understanding of the cost, methodology and motivation behind cyber crime. Many in the business sector are concerned over the reputational impact of sharing incidences of cyber attacks, so we must find a way of sharing this cyber threat data in an anonymised depository, which is shared publicly and with the authorities.
As chair of the London Resilience Business Sector panel, what did you make of the recent Holborn blaze's effect on businesses? With many being law firms, do you see the cloud as a safe alternative to on-premise? It helped some chambers work remotely.
This is a reminder to all businesses of how important it is to have a comprehensive crisis management strategy. Worldwide more crises occur as a result of natural disaster or accident than through criminal activity. Businesses should take a lesson from the complexity of dealing with the Holborn blaze and the impact that had on those based in that area.
Bivonas Law have found that having a cloud based, paper-light office structure allows them to maintain a robust resilience strategy. However, there is no one-size-fits-all answer and it is important that businesses look carefully at the potential impact of a natural or cyber-related crisis, not only in terms of the functionality of their offices, but also their responsibility to clients and potential liabilities.
With the (much debated) EU Data Regulations being slowly progressed through into law, do you think banks would benefit from having chief data officers? And is the threat of a five per cent turnover fine enough to improve the ways companies secure data, or is it a technology question?
Speculation as to the likely impact of the EU Data Regulations have provoked a shift in the business sector's approach in data security, who now understand that this is not just a technical issue. This is a positive change with businesses starting to understand that broader security issues apply to data security, such as threat assessment, investigation and reporting.
Chief Data Officers are a good idea, but the challenge is the reporting structure and it is important that businesses get this right. Traditionally the Chief Data Officer would report to the Chief Information Officer, but this may result in a conflict of interest, regardless of the integrity of that individual.
I am an advocate for a reporting line to the Chief Security Officer or even the Chief Operating Officer, who would be better placed to independently assess data breach incidents.
How has the spate of data breaches over the last couple of years changed companies' attitudes to IT security?
We are seeing a higher focus at the executive level on cyber related security, with a greater understanding of the risks and potential consequences of a cyber attack. There is still a long way to go, and those who may be held accountable for data security within an organisation must ensure that they are appreciative of the broader legal and reputational consequences of a cyber attack.
In your experience, where do the most serious hacking threats come from - foreign intelligence agencies, hacktivists, cyber criminals looking for a pay day or terrorists?
The City of London Police estimate that 80 per cent of cyber crime goes unreported, and without there being a database providing information in relation to attempted cyber attacks, it is impossible for me or the authorities to say where the most serious threat comes from.
It is a worrying situation, because without knowing the totality of cyber attacks and attempts, we only have a partial picture to assist us in understanding the motivation behind cyber crime.
Understanding the motivation is key to determining where the most serious threat lies, and key to an effective prevention strategy, publicly or within an organisation.
