Hargreaves Lansdown plans to open a new technology hub in Warsaw, Poland, this summer with 50 people who will work on IT development projects in conjunction with colleagues at the Bristol, U.K. headquarters. “I need to educate them in our agile development techniques where continuous innovation is demanded, alongside a requirement to practice safe coding, follow best practice and always think about cybersecurity in any new development, without slowing down its delivery,” says Kidd.
He does admit that there is nothing to prevent good cybersecurity at an incumbent FI. Indeed most retail or investment banks, insurers or wealth managers have good cybersecurity because they are handling money. “A good security culture and boardroom backing are the key ingredients in protecting any firm, whatever its functions,” he concludes.
Frank Downs, senior manager, cyber & information security, ISACA, an international trade body:
“I think you can learn lessons out of the reaction to WannaCry. There was a ‘holier than thou’ attitude from some companies that weren’t caught out,” says ISACA’s Frank Downs. “Blame was almost placed on those affected because they simply didn’t have good enough patching, data hygiene or back-up functions but that is wrong. People should be aware it may just have been a case of ‘there but for the grace of god go I’ and WannaCry could have hit them too.”
“Some firms, especially if they have older systems, might have had to run a patch overnight when it first hit because they couldn’t have downtime during the operational working day. Or perhaps they were caught out due to old legacy IT systems? This isn’t a failure of the information security (infosec) professional charged with protecting the company or of procedures. It’s an old IT problem.” Responsibility sits with the Board.
Professor Angela Sasse, Director of U.K. Research Institute for the Science of Cyber Security:
The ISACA viewpoint that old technology can be the problem is something that Professor Sasse agrees with. As she said during a keynote session looking at user behavior at the InfoSec 2017 trade show conference stream in London on 6 June: “Half of all security problems are due to crap IT! Invest in new systems.”
Speaking exclusively to CNBC afterwards, as the other interviewees did, Sasse added that her “key take-away from WannaCry was never to pay the ransom and always to back-up because at least then you can recover data, even if you do have to suffer disruption. No files are lost and it means you don’t have to pay.”
In addition to her role as Director of the U.K. Research Institute for the Science of Cyber Security (RISCS), which is funded by the National Cyber Security Centre (NCSC) that is part of GCHQ, the U.K. equivalent of America’s NSA, Sasse is a Fellow of the U.K. Royal Academy of Engineering (FREng). She is also Professor of Human-Centred Technology in the Department of Computer Science at University College London (UCL). The latter day job is focused on examining user behavior and its crucial role in ensuring cyber security.