Irish banks are 'absolutely not prepared' for cyber attacks
Expert Paul Dwyer says some firms are letting inexperienced staff handle their security.
IRISH BANKS HAVE serious gaps in their security systems which need to be addressed to properly protect against cyber attacks.
That is according to one of the country’s leading cyber experts, Paul Dwyer, who said that many financial institutions have not invested enough in the area as a result of the banking crisis.
Dublin native Dwyer is the CEO of security company Cyber Risk International and the President of the International Cyber Threat Task Force (ICTTF), a not-for-profit group that aims to help connect cyber security experts with more than 3,000 members worldwide.
Speaking after a recent ICTTF breakfast briefing, he told Fora that Irish financial organisations are “absolutely not prepared” for online attacks.
“The Central Bank of Ireland has written to every financial institution in this country a number of times telling them that their boards have full responsibility for this, and they have to prove that they’re doing something about it so there’s no excuse anymore for any financial institution,” he said.
“A lot of what (is needed) is cyber hygiene basics, nothing too sophisticated. For example, data classification doesn’t exist in a lot of banks.
“By that we mean, are you treating all your data the same, or are you saying ‘this data is more important than that data?’ Because that’s the general principle of security, you don’t have the same security controls over everything.”
Gaps
He added: “That’s on page one of information security management, classifying your assets and understanding what you have. They’re finding that there are gaps there, massive gaps, but they’re not difficult gaps to fill.
“Those institutions have to take heed from the writing that’s on the wall from the Central Bank and plug those gaps and move forward. It isn’t rocket science, but if it isn’t priority for a bank they’re not going to do it.”
Dwyer also recommended that financial companies should assign a senior staff member specific responsibility for dealing with cybercrime, however in many cases that was yet to happen.
“Unfortunately, what we find a lot of the time with financial institutions in Ireland is that the person who becomes the chief technology officer, or whatever, has been in that organisation maybe for a long period of time.
“When you question them and ask what are their security qualifications, how do they understand cyber, you very quickly find they may not be the most appropriate person.”
Gravitas
He added: “It’s mandatory from the Central Bank that you have to appoint someone from the Central Bank who is responsible for this area. But in some organisations we work in, we meet people who are maybe 20 years of age who have been handed this poisoned chalice.”
“They say, ‘I have no power to effect any change, I’m in the organisation six months’, so they’re not giving it the gravitas it needs.”
Asked how banks can better protect their customers data he said: “The approach of a lot of institutions has been that they need to adopt some sort of security standard and just measure up to that.
“But not everybody is the same. Everybody will work out what is appropriate for their organisation and apply the appropriate controls.
“They need to get the tools they need to develop a management system. Some will need more education for their staff, some will need to improve their network security, different things. There’s no silver bullet.”