The UK financial authorities and non-profit infosecurity assurance organization CREST have teamed up to provide a world-first testing framework designed to improve banks’ resilience to advanced threats.
The CBEST initiative, announced today at the Bank of England, is the first of its kind to be led by a central bank and will aim to improve and test the resilience of financial services firms to cyber attack.
In development since last year, CBEST “will help the boards of financial firms, infrastructure providers and regulators to improve their understanding of the types of cyber attack that could undermine financial stability in the UK, the extent to which the UK financial sector is vulnerable to those attacks and how effective the detection and recovery processes are.”
It’s a framework designed to deliver security tests which assess people, process and technology and replicate modern, advanced attack techniques which pose such a threat to organizations today, by utilising current threat intelligence.
CBEST also requires the providers of this intelligence to be accredited, ensuring that it has been “ethically and legally sourced”, according to CREST president, Ian Glover.
“CBEST is looking at 'threat actors' that have access to significant resources including good technology and people who can spend a lot of money. A combination of the right skills, technology and financial backing mean this type of threat could make a significant difference to the UK,” Glover told Infosecurity.
“This type of in-depth threat that attacks an organization very quietly is far harder to detect. With less sophisticated attacks there is far more noise so they are easier to pick up on using technology like intrusion detection."
There’s certainly a need for banks to improve their resilience to advanced attacks. A report from the British Bankers Association (BBA) compiled by PwC revealed that 93% of large financial institutions suffered a security breach in the past year.
In addition, some 70% of banking bosses said they thought cybersecurity was a key growth risk, while £700m is estimated to be spent each year in the sector on combatting such problems, according to BBA head Anthony Browne.
The high-level BBA event today at which CBEST was launched, Managing Cyber Risk, appears to the the industry body’s first major act after it was told to take a more central role in cyber response co-ordination.
Ted Julian of incident response firm Co3 Systems argued that cyber exercises last year revealed major weaknesses in incident response, including participating organizations failing to call the police after an attack.
“The BBA is nobly striving for a ‘global’ approach to improved collaboration and coordination – yet the real challenge is internal,” he added. “How many banks still struggle to map their incident response plans to reporting requirements required by regulations?”