The Banking Crisis and Cyber Security - Are There Worrying Similarities?

When Lehman Brothers went into administration on 5th September 2008 it was the first major impact before other financial institutions toppled like dominoes across the globe.

Some suggest we are still experiencing the aftermath of the crash – after all, the UK Government still owns a substantial part of RBS and savers are still receiving derisory returns on their nest eggs.

The roots of the financial crisis can be traced to around 10 years pre-crash. Blunders caused by anything from “hidden investments” such as sub-prime mortgages to the property market imploding with borrowers unable to pay off their debts, ultimately brought the global financial sector to its knees.

• Use of Internal financial mechanisms - Poorly understood by most people, they were developed to create a new market for financial institutions to allow them to make more money (their primary concern). 
• Warnings fell on deaf ears - Only very technical financial experts really understood what was happening and the few that warned about it were not heard.
• No accountability - Senior managers turned their heads and rejected responsibility.
• Tunnel vision was caused by greed - Driven by profit maximisation, the culture was one of secrecy and wilful ignorance (people were the biggest risk).

Ten years ago, the only significant measure of cyber security (still referred to as information security) was the ISO /IEC 27001: 2005 standard – based on the UK’s BS7799 standard from 1995.

Compliance was adequate calculated on the usual risk measurement of ‘Threat X Probability = Risk’.  At the time, it was felt that only big organisations needed to worry about security, as small companies were not worth the criminals’ time. 

Systems tended to be compartmentalised as full integration had yet to be implemented.  There were some limited linkages in general, for instance, marketing had a separate system from finance and manufacturing was separate again. However, an attack on one system could still lead to an attack elsewhere in the organisation through the basic network links that were being put in place. An attack on a related supplier or partner organisation was rare.

In November 2008 The Confiker virus (a worm virus that struck the NHS just like the WannaCry 2.0 virus that would strike 9 years later) hit 190 countries worldwide and stopped aircraft flying, maritime vessels sailing, and caused a multitude of other systems to become unavailable.  At this point, the scale and pace of resilience operations had to change and, arguably, cyber security as we know it today was born.

Roll forward to today and not only do departments connect, but so do offices; internationally and with suppliers and with their suppliers…

One breach can affect many organisations across multiple time zones (often with differing levels of cyber preparedness). This is not so different from the Confiker scenario except now our internet and network hyper-connectivity magnifies the risk many times over. We have full integration of systems with much deeper dependencies; digital service providers are much more vital to our everyday living and we have a growing dependency on massive cloud utility computing operations. 

• Cyber Security is poorly understood by a great number of people – solutions are developed and implemented as a tick box exercise. There is a shortage of expertise available to cope with the ever-evolving cyber threats that exist.
• Often, only very technical cyber experts really understand system requirements and what is happening – They try to convey the challenges to senior management and lack the language and skills to be heard.
• Ownership of the Cyber Security infrastructure is frequently vague.  Boards do not prioritise it.
• Senior managers turn their heads and reject responsibility.
• A culture of ignorance and ‘passing the buck’ exists within many organisations (Third party consultants are recruited to fix the issue – then can easily be used as a scapegoat if all goes wrong - although GDPR is changing the landscape).

Prior to the financial crash, everyone in the financial sector was ‘compliant’ but the Risks were not understood.

In today's cyber culture, many treat ‘compliancy’ in cyber as the goal but do we really appreciate the risks and are they being managed appropriately? Ongoing risk assessment and keeping ahead of the threat should be the norm.

It is unlikely that we have ten years to prepare for a Global System crash.