Cyber attacks are a significant threat to UK business. At a time when cyber risks are becoming increasingly unpredictable, it’s all the more important for boards to keep pace with changing threats.
This is something that Craig Rice, Chief Executive of the Cyber Defence Alliance, understands all too well. A highly experienced security leader, Craig delivers strategic insight and decision support for cyber security, cyber risk, and cyber resilience for organisations in the UK financial sector. He ensures the Cyber Defence Alliance acts as a hub between 13 financial institutions, allowing them to share data, intelligence, expertise, and resources.
We sat down with Craig to find out more about threat intelligence, along with what finance boards need to know when it comes to protecting their businesses and their customers.
What do we mean by threat intelligence? Is it just to do with cyber or are there other risks involved?
While predominantly we’re talking about the cyber domain, i.e. the digital domain, threat intelligence also applies to criminal activity. That’s usually relayed by regional police forces. Arguably, one phenomenon we’ve seen is the strength of law enforcement and the agencies dealing with physical threats, and how their ability to deal with digital threats is changing over time. Agencies and law enforcement are putting more resources into that and becoming more competent.
Are the endpoints of cyber attacks about stealing money, or are they about shutting down the system and disrupting UK banks and financial services?
Financial services are founded on trust. If you can undermine that trust, you can undermine the confidence in an entire financial system. Exploiting the cashing out process through near real-time transactions means that you could very quickly carry out your attack in a couple of hours, even a couple of minutes, from achieving traction on somebody’s network, gaining a pivot hold, extracting the funds you need, and then cashing out through multiple mules and account systems. That means it can’t be traced. Convert that to cryptocurrency, and you’re scot-free. We know it’s a lucrative business for many.
I once came across a chap who had just finished university, and he was carrying out cyber attacks with his friends as their chosen career path. They felt they could make six-figure salaries very quickly, and live a jet-set lifestyle in the Middle East while exploiting their home turf. That, for me, really sums up how cyber attacks have become a strategic threat, and how they’re scaled beyond measure.
Have the risks increased for financial organisations as they focus more on digital?
We’re getting to the heart of the problem here because boards and the people on them have made very successful careers in the risk management business; identifying vulnerability, impact, and probability. I think what frustrates boards in many senses is that cyber doesn’t seem to fit into that risk management methodology, and the relentless hammering of that square peg into a round hole has led to several difficult discussions for boards as well.
I therefore try to break down the threat in the same way you break down the components of risk.
Risk is vulnerability, impact, and probability, whereas threat is capability, intent, and opportunity. What we’re seeing now is a cascade of capabilities, from a geopolitically state-sponsored threat actor to somebody who can get onto the dark web and purchase the relevant technology and services from people who have far more sophisticated skill sets. Financial services are facing an awful lot of opportunist threat actors, as well as what we’d call hardened threat actors, criminals, and state-sponsored threat actors who want to do serious and lasting harm.
How do you see the broader landscape of the UK economy?
This goes back to what I call your tapping your head and rubbing your tummy problem of cyber. We’re not doing cybersecurity anymore. Well, not entirely doing it.
You know, the new mantra is we must be cyber-resilient. You must be able to withstand, absorb, and recover from an attack. That’s much more about understanding where the veins, arteries, and capillaries of a company are, where the main important business services core operational processes are, and you know, what do we deliver to market?
If that isn’t done, what’s the harm that will be done?
For retail banks, it’s very obvious if retail banking is taken out. Clearly, there are people who are losing access to their funds in the day, but they might also lose transactions for mortgages for house purchases. There might be pension providers who can’t pay annuities because they’re taken out of the game. Or even people making a claim beside the road, you know, you can see somebody who’s had an accident pulled over on the side of the road, they’re walking on their own with children on the motorway, and they can’t get through to anybody because there’s a cyber attack that’s taking place.
That’s a very uncomfortable scenario that you’ve described. What sort of questions should board members be asking of their management teams? What sort of data should they be looking at?
The pedigree and provenance of the information you’re being given is absolutely vital.
What is it you know? What is it you don’t know?
If 98% of your devices are patched to the current level, where is the 2%? How do you know your total inventory? How do you know what state the other 2% are in? And how do you know that 98% are actually deployed, and up to date with their operating system? It’s about getting behind the numbers, the storytelling, and the cost.
There may be times when the complexity of the environment means things are greyed out. It’s much better that everybody in the organisation knows where those ambiguities begin and end. That’s the space that the adversary will exploit to strike the organisation.
If you could provide advice to Boards within financial services on building cyber resilience, what would it be?
I’d advise looking beneath the dashboards, looking beneath the key performance indicators, asking questions on what you might not know, and how you can close that gap. No organisation has 100% visibility of this asset inventory at any one time, because that asset inventory changes very rapidly in a cloud or software as a service delivery mechanism.
I’d also think about the value of having somebody from another organisation who is an information security professional coming to talk to the board. Not only is it assuring, but it’s also a good benchmarking exercise because it feels less lonely, as people are facing similar problems. It also helps to understand how boards are taking different approaches in different areas.
Ensuring your business is protected against evolving cyber threats requires meticulous transformation from the top down.
Click here to watch the full interview