We know it but do we do it? “Cyber must stop being treated as the domain of the IT department and should be a boardroom priority”.
This quote of the 3rd March 2016 comes from the Institute of Directors (IoD). I refer to the IoD’s findings towards the end too, because what happened to Bangladesh’s central bank, Bangladesh Bank, may be happening to us.
Two months on and the investigation into the cyber-heist at Bangladesh Bank is just about over. The speed in reaching a conclusion is less about efficient investigating but having too little to investigate.
The reason? The central bank had no IT security, no audit trails so no trace of the criminal footprint. (But please feel free to fess-up if it was you.) Computing has a good article.
Officially, the Philippines, whose central bank were unwitting partners in settling some fraudulent payments, has said the hackers were Chinese, deflecting responsibility elsewhere. See The Star’s article.
Officially SWIFT, the financial sector’s mechanism of choice for transferring funds globally, “can recommend internal security measures” to its banks but does not provide “specific measures to be uniformly adopted by financial institutions to secure their networks” (see Canadian Cybersecurity Law’s article)
The question is, should it? SWIFT seems to have distanced itself from the incident, thereby implicitly answering with a ‘no’: there has been nothing related in press releases for 2016 until the 25th April – see here.
Regardless of the distancing game, the incident demonstrates the big shift in security management from technical security to strategic security. We need to think holistically across our organisations, our supply chains and our 3rd party dependency chains.
Given the issues, how could COBIT 5 for security have helped the central bank falling into the trap? Answer: it provides a holistic context that focuses on both the firm and it business environment. There are no cut-off points between one organisation and the next.
The risks I listed in the last blog identified weaknesses in Bangladesh Bank’s culture, governance and management. There was at best ignorance, at worst apathy, in how to achieve the necessary technical capability, stakeholder management, and cultural and global understanding.
COBIT 5 for security addresses ignorance. It sets out everything you have to do to achieve the relevant security way beyond technical solutions. It provides both high-level and detailed approaches on assessing the business environment, ways to discover your firm’s risk appetite and tolerances, and what to look at to define the security you need.
Only then does the guide move on to security implementation and monitoring. Looking at security in context brings out the reason for security investment and makes sense of the effort and expenditure required. The overall picture is captured at the start of Chapter 2, page 55:
- Ethics and culture relating to information security
- Applicable laws, regulations and policies
- Applicable contractual regulations
- Existing policies and practices
- Maturity level of the current information security enablers
- Information security capabilities and available resources
- Industry practices
- Existing and mandatory standards and frameworks regarding information security
By reviewing these, Bangladesh Bank would have soon brought to light all the deficiencies.
The nitty gritty is in pages 145-154. They tell you what should be done to define your IT and non-IT security solutions. But everything that comes before is there to make sure the business environment – supply chain, inter-dependencies and inter-connectedness – are fully understood.These are all introduced at the start of Appendix B, which looks at the governance and then goes on to how all aspects of IT need to be managed in the business context such as architecture, people, business relationships, projects. The guts of what security should achieve are then covered in pages 145-154, followed by the importance of reviewing security measures to ensure relevance and robustness.
The COBIT 5 security guide is available for purchase on the ISACA website. ISACA members get a discount.
Getting back to our central banks in Bangladesh and the Philippines, and SWIFT, what lessons are there that need to be applied?
For Bangladesh: COBIT 5 cannot cure apathy but can go a long way in identifying the cultural issues the bank needs to overcome. The security guide’s approach exposes vulnerabilities and helps identify what can be done, however small, to begin addressing them.
For the Philippines: COBIT 5’ security guide would have helped them review their stakeholder management.
For SWIFT: COBIT 5 could help them scan their eco-system, identifying where the weak links are.
For all of us: “don’t let the cyber thieves in by the back door” says Dan Selman, the Ministry of Defence Cyber Industry Deputy Head (in a supplement on cyber security in City A.M. of the 25th April 2016).
To say it in another way: “businesses are not taking cyber security seriously enough”. The IoD has found “a worrying gap between awareness of the risks and business preparedness” and “official efforts to tackle cybercrime seem to be failing to get through to businesses.”
Boards have inappropriate risk and security awareness, creating a ‘cyber paradox’ whereby “business will increasingly take place online, [but] firms will no longer feel confident….when [information] is transferred”.
The IoD’s paper is available to IoD members only but an overview is accessible to all at http://www.iod.com/guidance/briefings/bis-cyber-security.
And a final point, it appears that SWIFT was also attacked, not within their internal systems but in the proprietary software they supply to their users, see Tech Week Europe’s article.
By attacking this, hackers know they don’t have to penetrate the strongest link but can move around SWIFT users to find the weakest link. This raises questions about governance, assurance, ownership and accountability. How much, in this instance, is this the responsibility of SWIFT, how much is down to its users?
I’ll be looking at assurance and how it could have influenced the heist in my next blog.
Missed Sue’s previous blog? The Central Bank Heist & COBIT 5 for Risk Management
Interested in getting certified in ISACA’s globally renowned IT Governance Framework? We have trainers across the globe that are committed to providing the best quality training – find one near you.
By Sue Milton – Originally published April 28, 2016