back to article UK finance sector: IT security testing 'becoming close to mandatory'

Regulators are nearly at the point of requiring major financial services companies to participate in a cyber security testing programme, according to the Bank of England. Minutes from a meeting of the Bank's court of directors on 16 September (10-page / 45KB PDF) provide detail of some of the efforts being taken to improve " …

  1. This post has been deleted by its author

  2. Anonymous Coward
    Anonymous Coward

    the next step

    would be a mandatory certification for all those working in IT security in important sectors.

    Followed after by a governing body to encourage continued compliance and knowledge sharing.

    Followed by a regulatory body to punish anyone failing even after all these measures have been taken.

    Followed by an exodus of talents in the industry because of over regulation and too high of an entry barrier with not enough pay.

    Then we'll be the same as teachers, doctors and nurses and a growing list of profession that are being made to take responsbility a lot of the times for things completely outside of their control.

    1. Anonymous Coward
      Anonymous Coward

      Re: the next step

      Thing is....I've met a lot of people who allegedly work in "IT Security" and only some of them have any idea what they're talking about. I'm not saying regulation is the answer, but it is a bullshit rich sector at the moment.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: the next step

        I agree and I work in security, also add to that the caveat that if you stand by your principles the business will eventually find a way to eliminate you for someone more... Malleable. Or at least someone cheaper who hasn't got the full range of skills which create those awkward problems when they find things too much.

        Same little games of company department kingdom's triumphing over skill, new hip name.

  3. x 7

    highly hypocritical given that Talktalk Dido is one of the Bank of England directors

    1. allthecoolshortnamesweretaken

      Guess she shouldn't have skived off all those meetings... thats 50 points off from Jellyfish house, and NO puddings for a fortnight!

  4. Fullbeem
    Facepalm

    This why we cant have nice things

    I seem to remember the government making alot of noise in 2014 about the UK not having enough cyber security professionals. Come 2015 and after 2 (maybe 3 if i include BG) massive IT security breaches (TT & CPW) we still playing catchup and we not got enough cyber security professionals.

    Well its the British way I assume, we queue, we crap at football and we crap at IT Security generally speaking. Im off to the pub at lunchtime me thinks.

    Find me that Capt JL Picard facepalm image.

    * I work in IT Support but losing the will to fight a good fight *

    1. 0laf

      Re: This why we cant have nice things

      What they really mean is Britain doesn't have enough people that have passed either CISSP or CISM. If you don't have them you can't get past HR no matter how good your experience is.

    2. Anonymous Coward
      Anonymous Coward

      Re: This why we cant have nice things

      Jesus... How much grammatical horror can you fit into one comment?

      "A lot", "It's", "We are", "I'm", "methinks"

      Come on...it's not rocket science. If you show the same level of care and attention to detail in your job then no wonder you are struggling.

      1. Fullbeem

        Re: This why we cant have nice things

        I don't care anymore. I should have stayed in bed this morning.

        I apologise and beer o'clock is in 1 hour.

        (This comment has been checked for grammer)

        1. Anonymous Coward
          Anonymous Coward

          Re: This why we cant have nice things

          "Grammar"

          1. Anonymous Coward
            Anonymous Coward

            Re: This why we cant have nice things

            I four won am glad of the pedantitudinality off the commentarditude.

  5. TonyJ Silver badge

    How about making the people in charge responsible and accountable?

    Until we see real punitive punishments of the people (and companies) that allow the kind of breaches that have taken place. When the heads of large companies can get away with statements like "I can't tell you which data, if any, was encrypted" then nothing will change.

    All that happens is the responsibilities get pushed down the food chain as well as the blame.

  6. Anonymous Coward
    Anonymous Coward

    Mixed feelings

    I have mixed feelings about this. If there is a mandatory requirement then all that the banks will do will be the minimum to tick those boxes whilst lobbying hard to keep the framework as watered down as possible to save themselves money. It's not like they don't own the regulators.

    Some sort of big penalty financial penalty if they screw up on security - a bit like the risk to profits that normal businesses that aren't bailed out by the government face if they screw up - would be a better incentive for them to be proactive instead of box tickers.

    Had your customer database nicked? That's a big load of compensation to your customers. Better than "not our fault because we did the bare minimum to stay inside the rules".

    1. Captain DaFt

      Re: Mixed feelings

      Simples, First data breach, banned from commerce for one working week. Twice, One working month. Thrice, banned for three months, etc, etc.

      There'd never be a second data breach.

  7. Richard Jones 1

    Hold Steady

    It appears that this failure at clap trap was not at the door of some simple sap in IT but at the level of process and system. It appears to have been yet another weak link in the chain. I hope I am safe, I left their clutches a long time ago, yet their rubbish processes apparently may have kept details on file for ex-customers who have long since left their clutches. This is a process level failure at corporate process and governance level, not IT staff level. If they ran such a sloppy ship then what else is broken at the same corporate level, if regulation is needed and it sorely appeared to be needed to weed out such weak links then regulation and mandatory audits should be the way forward. Regulation should only ever catch those in charge of process and design errors, not those who have no responsibilities for other than than their defined role.

    Clap trap are part of the financial service chain, if they or anyone else does not like the heat give up and send the bag man round to collect cash on door steps.

  8. PassiveSmoking

    Explain to me...

    Why is that a bad thing? Especially in light of the TalkTalk fiasco?

  9. LucreLout

    IT Security... In Banks?

    Well, allow me....

    Some of our networks guys and server admins are genuinely brilliant. Some of their management aren't even that appaling. But, once you're in the building past the security guards downstairs, which is easy because they nod off around midnight when there's nobody around, then you can get by the around by sitting on a PC that some genius has forgotten to lock (I can see three from here), then you're in.

    So now its just between you and the programmer for access to whatever data you need. Two guesses how well that works out? A FORMER employer has trade capture systems that broadcast sensitive data over the network to any subscribers... only you can add a subscriber without authentication or authorisation. That system was supposed to be inside one of the firms Chinese Walls.

    They had password and creds laying about on the web servers & file system unencrypted, or checked into version control in plain text, and I've even seen them hard coded into source files. There were password that were unchanged in 10 years, for systems accounts, that are well known to anyone that ever worked in the team but now works elsewhere.

    There's next to no encryption, very little proactive interrogation of logs, and poorly conceived policies that are badly implemented.

    Security of IT in a bank? It doesn't exist. What does exist is a lot of people that don't understand security who believe the systems are secure. It's no better anywhere I've worked - they're all hopeless at it.

    The only bank that is different is my current employer who are best in class and a pure joy to work for.

    (Tell me when El Reg, tell me when you'll have HTTPfeckinS)

    1. Vic

      Re: IT Security... In Banks?

      you can get by the around by sitting on a PC that some genius has forgotten to lock

      One place I used to work had an interesting answer to that - if you left your terminal unlocked, you would send an email to the entire company, in which you would come out.

      Very non-PC, but surprisingly effective.

      They had password and creds laying about on the web servers & file system unencrypted, or checked into version control in plain text, and I've even seen them hard coded into source files

      The last place I worked, one department had a policy of printing out the root password for every machine and sticking it to the front panel...

      Vic.

    2. Anonymous Coward
      Anonymous Coward

      Re: IT Security... In Banks?

      All of the above is 100% true

      I saw a cash machine for a BIG bank reboot the other day. It was running XP!!!

      I always like to remember 'A Network is only as strong as your weakest link'

      Banks, NHS, local councils. From what I've seen, most are the same. The IT techs often have the skills to perform but are gagged and tied by bureaucracy and directors who know nothing of IT (or want to know).

      "Yes, yes, yes. That's all very clever, but how much is it going to cost?" is a phrase all to often heard after an IT presentation.

      (The acknowledgement of clever work may be absent)

  10. Anonymous Coward
    Anonymous Coward

    Like DUH !

    This should be mandatory of any financial institution Ferchrissake.

    1. Dan 55 Silver badge

      Re: Like DUH !

      I'd go as far to say almost any institution. It's all IT, it's just the shop window is different.

  11. Doctor Syntax Silver badge

    Testing?

    What makes anybody think they have time for testing? None of them even seem to have the resources to maintain uptime let alone testing?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022