Banks must prepare for state-sponsored cyber crime, says Bank of England

In a survey of 36 UK financial firms, the Bank of England says it found no immediate gaps in defence, but warns against complacency

In a survey of 36 financial firms in the UK, the Bank of England revealed it found no immediate gaps in their IT defences but warned against complacency.

A senior Bank of England executive said the regulator will be going back to banks again to check that improvements are made in certain areas.

In a security conference speech, Bank of England director Andrew Gracie said banks should be prepared for the highest level security attacks, including state-sponsored intrusions. “Given the importance of these firms to the stability of the financial system, this implies a level of resilience that goes beyond basic cyber hygiene but aims instead to ensure that firms are in a position to manage advanced persistent threats that are the hallmark of some state-sponsored attackers," he said.

He warned that cyber security should not be the responsibility of junior IT staff and company boards need to get involved.

Gracie also encouraged financial firms to get involved with ethical hacks that enable companies to test each other's security defences.

Cyber war games

The UK and US have agreed to a series of simulated cyber attacks to test each other’s resilience. The first exercise will be simulated attacks on the City of London and Wall Street, amid growing fears about the vulnerability of the financial sector.

One IT security expert working in the UK banking sector told Computer weekly that banks have attempted attacks every day. He said they are not reported because banks don’t want to scare customers.

This view was backed up in November 2014 by Cambridge University researcher Richard Clayton, a senior researcher in security economics. He told a Treasury select committee that the amount of money being taken from people's accounts through cyber crime is twice as much as what is reported. “Insiders tell me the going rate is about twice the amount of money reported by banks goes walkies out of people’s accounts.” 

On 12 November 2013, Operation Waking Shark 2 – organised by UK financial services regulators – tested thousands of staff at London’s major financial institutions with a simulated cyber attack on systems on which the UK’s financial system depends.

Read more on IT for financial services