Very interesting that the Bank of England has run a series of ‘war games’ to combat cyber attacks. Apparently, up to 40 companies took part, together with the Treasury and the Financial Conduct Authority. The Bank designed the war games with input from the National Cyber Security Centre, a branch of Britain’s communications intelligence and security service, Government Communications Headquarters (GCHQ).
Actually, it’s a pity that some of us are put off by the term ‘war game’. Yet concepts of attack and defence are familiar and meaningful in many professional contexts. Here at Vedette, our definition of war game is ‘a scenario-based model in which outcome and sequence of events affect, and are affected by, the decisions made by the players’.
We believe that war games have a role in the management of any conflict or competitive situation.
The Bank of England’s approach is instructive. We all recognise the cyber threat and know that attacks are pretty much inevitable. And it’s not necessarily so simple as someone intent on taking our money. Sooner or later we’ll all be a victim of an attempt to steal, alter or damage our personal or business data. The risks and costs are potentially huge.
The General Data Protection Regulation (GDPR) forms part of the data protection regime in the UK and came into effect from 25 May. Falling foul of GDPR for breaches of data protection rights is costly. The Information Commissioner’s Office (ICO) can impose a penalty of up to £17.5m or 4% of global turnover, whichever is the greater.
In October TalkTalk was hit with a record £400,000 fine after a cyber attacker used an SQL injection to access the personal data of 156,959 customers, including the bank account numbers and sort codes of 15,656. The severity of the fine was due to TalkTalk’s failure to take the appropriate security measures to protect sensitive personal data from a well-known risk. It also took account of the large number of data subjects, the nature of the personal data held in the databases and the potential consequences of the breach.
Of course, not everyone’s business is on the scale of TalkTalk. And not everyone can get input directly from GCHQ to support their war games. But the risks are very real. So what can you do?
Vedette’s cyber, risk management and war gaming experts can help you and your business. We know the overriding importance of understanding the customer’s operating environment, strategic aims and objectives. We work closely with our clients to understand their current and future needs. We design viable, high-quality, bespoke and innovative approaches to help you to develop robust resilience and responses.
The Bank of England seems to have got it right: history illustrates the utility of wargaming – and the risks of either ignoring the results or not wargaming at all.