War Games, Only Without the Fun

As governments prep for cyber-attacks on banks, what’s the industry itself doing?

The banking industry is at war. And as over-dramatic as that sounds, it’s not hype, it’s reality.

The U.S. National Security Agency (NSA) is closely working with its counterparts across the pond, the U.K’s Government Communications Headquarters (GCHQ) and the security service known as MI5 in a series of war games that will enable all parties to collaborate on building better defenses against cyber threats. The efforts bring together not only the top-tier government agencies but also a range of law enforcement bodies, in the process sharing information far more efficiently than is now possible.

The immediate beneficiary of these new initiatives: banks.

Large-scale attacks on corporate information infrastructures have been much in the news lately, thanks in part to the high-profile breach of servers at Sony, allegedly by North Korean forces in response to a movie lampooning the shadowy nation’s Supreme Leader. In that case, a film with tepid reviews became a beacon of free speech and many embarrassing details about Hollywood stars got leaked, but that was about it. Think what might happen if a financial services conglomerate was similarly struck.

Of course, we don’t have to think—numerous large institutions have been attacked, and many individuals have paid the price. But now that we’re so afraid of big banks going under that the phrase ‘too big to fail’ is firmly embedded in the lexicon, should we worry that many of our industry’s biggest companies are too big to fail from hacking?

That’s essentially the thinking behind the war games scenario. British Prime Minister David Cameron recently cited cyber-attacks as the “biggest modern threats that we face,” and he’s not exaggerating. However, as the research supporting the war games and other maneuvers strongly indicate, the problem isn’t just the attacks themselves, which will continue, and with increasing sophistication. The problem is the financial services industry’s lack of preparedness for large-scale assaults on the corporate networks.

A survey commissioned by the U.K. government reports that only 61% of board members know enough about their company’s critical data assets (which deserve the greatest protections) and even fewer understand the potential impact of those assets being compromised. Almost two-thirds have yet to conduct appropriate risk management analyses, and a quarter don’t even receive the regular reports they need on potential information threats.

These numbers are troubling on many levels. In pure business terms, all these institutions spend millions on IT security technologies, personnel and processes. The fact that cyber-defenses are apparently not top for mind in the boardroom, despite the massive financial outlays, reveals a surprising lack of priorities. More to the point, these hacks are typically not the work of a lone wolf—they are the product of technically skilled teams working in tandem around the globe. Any defense must be similarly sophisticated and coordinated, beginning with the upper echelon of the corporate hierarchy. The fact that governments see the urgency and some corporations apparently don’t is a huge fault line.

So if these war games play out for real—in other words, if they stop being games—which institutions are going to be the losers? It’s early in 2015: A year from now, what are the brand names that will have been tarnished by a catastrophic hack that subsequently affected millions of their customers?

It’s war, and it’s coming. Let’s hope the right defenses are in place.

Written by Jack Dougal