Wargaming cannot take the place of real cyber protection
It’s no big secret: cyberattacks keep business leaders up at night. In a World Economic Forum executive study in November, cyberattacks were rated as the fifth biggest risk to businesses worldwide, one place behind cybercrime and fraud, and the number one business risk in the U.S.
In fact, the collective interest regarding the threat of cyberattack is such that even run-of-the-mill training exercises now generate their own column inches. Reports of major war-gaming initiatives now surface with increasing regularity, almost always focused on the financial sector, and invariably painting a picture of institutions happily putting aside partisan concerns and competitive aspirations to develop a more effective response to this ever-escalating risk.
Back in late
2018, it was the Bank of England setting the agenda for Britain’s biggest banks
with a one-day cyber resilience exercise. Now it’s UBS’ turn, which
has recently led fourteen banks and trade associations from all over Europe in defending
a WannaCry-style attack on a simulated bank network.
For anyone unfamiliar with WannaCry, this was a ransomware attack exploiting
older Windows operating systems that hit the headlines in 2017 after it
infected 200,000 computers across 150 countries, holding hostage the computer
files of unsuspecting employees until they paid $600 to restore their ailing
systems to working order.
Given that many of the world’s biggest financial institutions still rely – at least in part – on rather archaic infrastructure, upskilling employees specifically around this type of attack clearly has its merits. There’s also a logic behind the collaborative nature of these war-gaming exercises, given the perpetual interconnectedness of our global financial systems. Indeed, some commentators believe that the next financial crisis could be precipitated by the introduction of a cyberattack contagion into the system.
And yet, logic
dictates that the next major attack sustained by one or all of our financial
institutions will not be a WannaCry-style attack, precisely because this is
something for which these institutions are now relatively well-prepared.
The vast majority of cyberattacks still rely on exploiting human vulnerability to break through the corporate defences – an employees’ inability to distinguish a potential threat from, say, a run-of-the-mill weblink, email or on-screen message. Educating employees to spot these threats will lower the likelihood that one of them makes a mistake, but it won’t eliminate the risk entirely. We’re talking about humans with many other day-to-day responsibilities, attempting to fend off the threat from hackers’ whose sole job is to trick the employee in question. This is not a fair fight, and relying upon employee vigilance is not an effective form of defence. As the threat landscape continue to evolve, organisations should be looking to take the onus off employees to defend against anything other than basic ‘common sense’ threats, rather than blaming them when things inevitably go wrong.
This brings
into question the much broader issue of preventative technology and whether, amidst
all this cyber war-gaming, the principles of joint crisis mitigation are in
fact enabling individual organisations to lag behind in their own preventative
security measures.
Clearly local and international collaborative efforts are needed to limit the potential for a cyberattack inflicting devastating sector-wide damage. Given the global devastation caused by the last financial crisis as it spread unabated, it would be ill-advised to take this threat too lightly.
Henry Harrison, co-founder and CTO of Garrison
Gloss