Banks Must Not Take The Internet For Granted

Last week, the Bank of England warned that the perceived risk of cyber attack on financial institutions had risen sharply, noting in its Financial Stability report that “while losses [to cyber attack] have been small relative to UK banks’ operational risk capital requirements, they have revealed vulnerabilities.” The report also warned that if these vulnerabilities were exploited, the cost would be significant.

These warnings follow a year in which fighters allied to Al-Qassam have carried out denial of service attacks against many US-based financial institutions and during which an attack on Spamhaus peaked at over 300 Gbps of traffic. Although most of these attacks were aimed at financial organisations, what is to stop them targeting others or even infrastructure next?

The Internet hasn’t crashed… yet

To date, though, the internet has not crashed and now represents over 8 percent of the UK’s GDP, making it a valuable contributor to innovation and enterprise. As a consequence, the subject of internet blackout risk receives relatively little attention. It is often drowned out by tales of the risks associated with state-sponsored cyber crime and sophisticated malware.

Organisations should be surprised that the internet works so well, rather than be surprised when it fails. This is only an issue because it has become normal to think of the internet as a utility such as power or telecommunications, where a service is paid for with contractually agreed service levels. Out of sight, the internet is cobbled together in a whole series of insecure, sometimes outdated technologies which are lashed together with the sweat and tears of dedicated network engineers.

The internet is also dependent on numerous other factors which cannot be controlled by end users. For example, reliable power and access to cooling is needed; and a global network of cables needs to be protected from being cut by construction machinery or damaged by fishing trawler nets. Then of course, there are risks caused by those acting maliciously, which has happened in the past – and with greater attention being paid by the military to cyber attack, may well happen in the future.

It represents a leap of faith for so many organisations to bet their business model on the internet, which is managed with so few formal controls. The complexity of the internet is growing exponentially while the skills and capability to manage the systems is growing (at best) in a linear fashion. I believe that we will see substantial disruption to organisations, and entire businesses failing through not appreciating that relying on the internet means relying on third party services for which there are no contracts and not even a clear owner.

Add this to your list of risks

I take no pleasure in suggesting that another item be added to the already daunting list of business risks which need to be considered. However, heavily internet-dependent businesses which have processes and procedures in place to respond to the internet failing for a number of days are likely to be in the minority. Think, for example, about whether you have taken the time to consider the impact on your business of an extended internet outage beyond your control?

Organisations should celebrate the miracle that is the internet proving to be so robust for so long and press ahead with business as usual, but having contingency plans in place to survive a sustained loss of internet access is probably wise – from maintaining access to business-critical information to interacting with customers and having appropriate insurance to cover losses. The internet is incredible, but this shouldn’t blind us to the fact that it isn’t a traditional utility and its prolonged failure is a business risk.

Stephen Bonner is head of information protection and business resilience at KPMG LLP

It’s true – technology can fail! And we have a quiz about that!