The Bank of England has stepped up spending on cyber security in a bid to combat the increased threat of cyber attack, as well as improving cyber-security training for staff across the organisation – including warning them to be wary about revealing their roles at the Bank.
Staff training has gone as far as testing staff through “fake” phishing campaigns to see who took the bait. According to the Bank, the campaign has been largely successful, with fewer and fewer staff clicking on suspicious links and attachments.
That is according to the minutes of the latest Court of Directors meeting.
“Significant progress had been made in applying controls, but at the same time external threats had been increasing. The Bank had numerous information assets and was a key part of the UK critical national infrastructure,” according to the report.
It continued: “A £20m three-year investment programme had been agreed in 2013 and there had also been a substantial increase in day-to-day resources in the IT Security and Information Security Divisions, with an uplift of 74 FTE [full-time equivalent] staff.
“Technical controls put in place had strengthened the Bank’s ability to prevent, detect and respond to attacks. But no technical fix could guarantee security 100 per cent, so at the same time significant effort had been made to improve security awareness among all staff, and incident handling procedures had been strengthened.
“A particular concern had been to address staff issues. Inevitably some individuals had privileged access to information and/or systems, and those individuals were natural targets for profiling by potential attackers. Staff had to be aware of the risk of revealing their Bank roles through social media (easily hacked) as well as the risk from phishing attacks in the Bank.
“Education about the latter had included testing the staff through fake attacks – this was clearly working as fewer now took the bait and many more reported suspicious traffic.”
Antony Bridges, head of human performance at QinetiQ, suggested that security training for ordinary staff is much neglected by many organisations.
“Humans are often blamed for security failings, from opening up malware on emails to writing down passwords. Despite significant investment in technologies and resources committed to designing security procedures, it is often the human performance factor that is the weakness in the system,” he told Computing.
He continued: “Organisations need to ask three questions of the people within their security system:
Do they know what they need to do?
Can they do what they are being asked to do?
Will they do what they are being asked to do?
“The Bank of England has clearly identified this critical element of an effective cyber security system and is working to further develop it.”
Computing’s Enterprise Security & Risk Management Summit 2015 is in London on 26th November. Qualifying users can attend FREE. Register here now – places are going fast.