Cyber Business Continuity Needs Broad and Deep Together

In mid-July 2013, several of New York’s Wall Street firms participated in an exercise to test their resilience in the face of cyber-attacks. The initiative was coordinated by SIFMA, the Securities and Financial Markets Association, and included commercial financial companies, as well as the U.S. Treasury Department. Financial institutions in the US have been subjected recently to massive attacks centred on distributed denial of service (DDoS). DDoS attacks render systems inaccessible for normal use, either by generating floods of traffic to use up all the network bandwidth for the system, or by overloading the application itself. Given that such attacks are not specific to the financial arena, where else might such tests need to be done?

In the UK, government intelligence agencies are pushing for major companies from all sectors to participate in a ‘cyber health check’, if not an out-an-out attack simulation. The figures alone are alarming: the ‘Cyber Security Breaches Survey’ states that around 80% of larger British companies and 87% of smaller ones had a data breach over the past 12 months. The health check being proposed is in the form of a questionnaire to be filled in by companies. The results will then be compiled while preserving anonymity for companies to be able to benchmark their performance. But is this good enough? Data backups must always be tested to check that they will work if needed; so surely should any cyber-protection.

The UK measures have already drawn various comments from IT security experts, including a suggestion that they should at least be extended to suppliers to the companies concerned. A better approach would be to combine the broad application of the UK initiative with the in-depth ‘reality’ testing of the US. As a point of information, one of the recent UK cyber-attacks that renewed concern was on the company Lakeland – not a financial institution, but a firm selling creative kitchenware. In other words, any company is a target, and not just the ones on Wall Street or in the London City square mile.