The recent CBEST cybersecurity assessment by the Bank of England (BoE) highlights significant shortcomings in the cybersecurity practices of financial institutions. While the report does not provide specifics on the extent of these failures, the implications for the financial services sector are concerning. Basic cybersecurity controls are vital in this industry, and any lapse could have far-reaching consequences.
The CBEST thematic review, which is based on 13 assessments and penetration tests across various financial firms and financial market infrastructures (FMIs), sheds light on critical areas where organizations are falling short. The issues identified include challenges in patch management, access controls, threat detection, encryption measures, network security, incident response protocols, and employee training.
Key Observations from the Bank of England’s Report
The BoE report emphasizes that maintaining robust cybersecurity practices is not a one-off task, but rather a continuous endeavor. “Strong cyber hygiene must be ongoing to reduce risk and enhance resilience,” the report asserts. With threats evolving rapidly, organizations can no longer rely solely on quick fixes to address vulnerabilities; such an approach often neglects deeper systemic weaknesses.
According to the BoE, it’s crucial for organizations to analyze the root causes of cyber risks. Systemic gaps in asset management, ineffective identity verification, and inadequate oversight of third-party vendors can create repeated vulnerabilities. The report advocates for addressing these foundational issues to ensure long-term improvements in cybersecurity instead of just temporary solutions.
Recommendations for Enhanced Cybersecurity
Within the report, the BoE lays out findings and recommendations focused on five main areas of cybersecurity. This includes three that pertain to technical controls, one dedicated to detection and response strategies, and another emphasizing the importance of fostering a culture of security awareness among employees.
- **Patching and System Hardening:** Financial firms should prioritize hardening their operating systems. This involves patching vulnerabilities and securely configuring essential applications to lower the likelihood of severe cyberattacks.
- **Access Management:** Implementing robust credential management practices, such as multi-factor authentication (MFA) and secure storage, is vital in preventing unauthorized access to sensitive information.
- **Incident Detection and Response:** Improved monitoring and alerting processes can significantly reduce the impact of cyberattacks, making it essential for organizations to establish effective detection mechanisms.
- **Risk-Based Remediation Plans:** Ensuring that technical issues are resolved through well-managed remediation plans will lead to more successful outcomes in addressing vulnerabilities.
Identified Weaknesses in Cybersecurity Practices
The assessment revealed numerous vulnerabilities in infrastructure and data security. Specific weaknesses included:
- Inconsistently configured endpoints and systems that are not adequately hardened or patched.
- Lack of encryption for data stored at rest, increasing the risk of data breaches.
Weak identity management and access control further exacerbate these risks. Issues such as inadequate enforcement of strong password policies, excessive access permissions, and insufficient restrictions on service accounts compromise security.
Detection and response weaknesses were also highlighted, including poorly configured monitoring systems that fail to identify risks of data exfiltration and other malicious activities.
Network security evaluations showed significant gaps, such as inadequate segmentation between critical assets and production environments, which could expose firms to increased threats.
Cultural and Training Shortcomings
Staff culture and training deficiencies also pose serious risks. Many employees demonstrated vulnerability to social engineering attacks, inadvertently compromising sensitive credentials. Common issues include storing passwords in unsecured locations like spreadsheets and using insecure helpdesk protocols.
Given the advanced techniques employed by cyber attackers today, the report stresses the need for organizations to be well-prepared to manage breaches effectively. “It’s essential that firms and FMIs combine technical measures with comprehensive staff training, as relying solely on technology is insufficient,” the BoE advises.
Evaluating Threat Intelligence Programs
Moreover, different levels of maturity in cyber threat intelligence management were noted during the CBEST assessments. While day-to-day threat intelligence operations rated well, areas like program planning and requirements lagged behind.
The BoE noted that, although operational aspects are functioning efficiently, foundational elements like governance, strategic planning, and requirement definition lack development. This disconnect can lead to ineffective use of resources and challenges in scaling threat intelligence capabilities.
