The WannaCry ransomware cyber-attack that hit 300,000 victims in 150 countries recently was the talk of this week's huge information security (InfoSec) trade show in London, where 13,500 experts and 360 exhibitors gathered on June 6-8 to debate the latest threats and countermeasures in the on-going battle between cyber attackers and defenders.
WannaCry is a particular type of malicious software (malware) that locks files on a computer and demands payment to unlock them, hence its ransomware sub-set name. The Europol European police agency described the recent attack as "unprecedented" and retired U.S. Admiral and ex-NATO commander, James Stavridis, told CNBC it was a "pandemic" and very "worrisome."
Delegates at this week's InfoSec trade show in London talked to CNBC about what companies can do the protect themselves in future and the lessons that can be learnt from the WannaCry attack.
How to protect a financial institution (FI), "where the money lives" and to institute an effective cybersecurity policy at a new financial technology (fintech) disruptor such as Bristol-based robo-advisor Hargreaves Lansdown are also discussed in these expert interviews.
Adrian Asher, chief information security officer (CISO), London Stock Exchange (LSE) Group:
"The best way to fight WannaCry, or indeed any ransomware, is to do the basic protection methods well. Have a good upfront anti-virus system, then patching and back-up procedures in place. Beyond that you also need to think about the 'three lines of defense' model that has traditionally been used to mitigate risk."
"The Bank of England endorsed this 'three defensive lines' model last year in its Senior Managers Regime (SMR) update," continues Asher. "This requires risk responsibilities, including cyber risk, to be assigned to specific individuals within a clearly defined risk management structure."
The 'three lines' are:
- A primary function that owns and manages everyday risk. According to Asher this "would be the IT development team and information security (infosec) team at an FI working together" to ensure secure coding, good practice and that the basics are being followed.
- A secondary specialist supervisory risk management and/or compliance function that will check policy, oversee good practice and so on.
- Finally, a tertiary function needs to deliver internal and external auditing of procedures and provide independent oversight.
"It's important to have a multilayered, deep defensive posture and not to rely on a single perimeter approach," adds Asher. "This is the best way to protect your company."