Browse our certifications
Find training
Open page navigation
Risk ManagementIT Governance

Join the conversation

The financial crisis is 10 years old

When Lehman Brothers went into administration on 5th September 2008 it was the first major impact before other financial institutions toppled like dominoes across the globe.

Some suggest we are still experiencing the aftermath of the crash – after all, the UK Government still owns a substantial part of RBS and savers are still receiving derisory returns on their nest eggs.

The roots of the financial crisis can be traced to around 10 years pre-crash. Blunders caused by anything from “hidden investments” such as sub-prime mortgages to the property market imploding with borrowers unable to pay off their debts, ultimately brought the global financial sector to its knees.

The financial sector’s red flags included;

  • Use of Internal financial mechanisms - Poorly understood by most people, they were developed to create a new market for financial institutions to allow them to make more money (their primary concern). 
  • Warnings fell on deaf ears - Only very technical financial experts really understood what was happening and the few that warned about it were not heard.
  • No accountability - Senior managers turned their heads and rejected responsibility.
  • Tunnel vision was caused by greed - Driven by profit maximisation, the culture was one of secrecy and wilful ignorance (people were the biggest risk).

What did Cyber Security look like ten years ago?

Ten years ago, the only significant measure of cyber security (still referred to as information security) was the ISO /IEC 27001: 2005 standard – based on the UK’s BS7799 standard from 1995.

Compliance was adequate calculated on the usual risk measurement of ‘Threat X Probability = Risk’.  At the time, it was felt that only big organisations needed to worry about security, as small companies were not worth the criminals’ time. 

Systems tended to be compartmentalised as full integration had yet to be implemented.  There were some limited linkages in general, for instance, marketing had a separate system from finance and manufacturing was separate again. However, an attack on one system could still lead to an attack elsewhere in the organisation through the basic network links that were being put in place. An attack on a related supplier or partner organisation was rare.

In November 2008 The Confiker virus (a worm virus that struck the NHS just like the WannaCry 2.0 virus that would strike 9 years later) hit 190 countries worldwide and stopped aircraft flying, maritime vessels sailing, and caused a multitude of other systems to become unavailable.  At this point, the scale and pace of resilience operations had to change and, arguably, cyber security as we know it today was born.

What does Cyber Security look like today?

Roll forward to today and not only do departments connect, but so do offices; internationally and with suppliers and with their suppliers…

One breach can affect many organisations across multiple time zones (often with differing levels of cyber preparedness). This is not so different from the Confiker scenario except now our internet and network hyper-connectivity magnifies the risk many times over. We have full integration of systems with much deeper dependencies; digital service providers are much more vital to our everyday living and we have a growing dependency on massive cloud utility computing operations. 

Some people are raising red flags in today’s Cyber Security landscape

  • Cyber Security is poorly understood by a great number of people – solutions are developed and implemented as a tick box exercise. There is a shortage of expertise available to cope with the ever-evolving cyber threats that exist.
  • Often, only very technical cyber experts really understand system requirements and what is happening – They try to convey the challenges to senior management and lack the language and skills to be heard.
  • Ownership of the Cyber Security infrastructure is frequently vague.  Boards do not prioritise it.
  • Senior managers turn their heads and reject responsibility.
  • A culture of ignorance and ‘passing the buck’ exists within many organisations (Third party consultants are recruited to fix the issue – then can easily be used as a scapegoat if all goes wrong - although GDPR is changing the landscape).

In conclusion

Prior to the financial crash, everyone in the financial sector was ‘compliant’ but the Risks were not understood.

In today's cyber culture, many treat ‘compliancy’ in cyber as the goal but do we really appreciate the risks and are they being managed appropriately? Ongoing risk assessment and keeping ahead of the threat should be the norm.

It is unlikely that we have ten years to prepare for a Global System crash.

Look out for our next discussion piece

Throughout this series we will also investigate the important issues of operational risk measurement and management, operational resilience and digital survivability.

RELATED PRODUCTS

Large pile of timber logs perfectly stacked

ISO/IEC 27001

Demonstrate exemplary management of information security

View more

DVMS Institute - NIST Cybersecurity Framework

Teaching organizations of any size, scale, or complexity an Affordable, Pragmatic, and Scalable approach to facilitating secure, resilient, and auditable digital outcomes.

View more

Cyber Essentials

Cyber Essentials is a government backed scheme designed to help organisations protect themselves against cyber attacks.

View more
Close

Certifications & Solutions

Accredited Training Organizations

Leadership

Accredited training providers

Certifications & Solutions

Select any filter and click on Apply to see results