Banking & FinanceIndustry ExpertMore NewsRegional News

30 Days after WannaCry – what can the financial services sector learn?

30 Days after WannaCry – what can the financial services sector learn?

Charles Habak of Booz Allen Hamilton

By Charles Habak, Vice President at Booz Allen Hamilton MENA, and Wayne Loveless, Principal at Booz Allen Hamilton MENA

WannaCry or Wcry represents the latest version of a growing threat called Ransomware – a tailored piece of malware designed to exploit specific vulnerabilities in the operating systems of its victims’ computers.

Malware outbreaks are not infrequent, but Wcry spread so rapidly that it revealed vulnerabilities in the business planning, employee preparation and internal procedures of organisations all over the world. A majority of affected systems were running outdated versions of software, with no access to updates because the vendor had phased out support to these legacy systems.

The financial services industry sector is no stranger to the phenomenon of outdated software. Many of today’s financial systems still run on UNIX based platforms developed in the 1980s and 1990s, which often are no longer supported by vendors.

What the financial sector can learn from the Wcry fallout is the importance of investing in a sound risk management framework that involves technology change management as well as updated software – all of which could have prevented Wcry.

This slideshow requires JavaScript.

Investing in a sound backup and continuity plan can also enable organisations to quickly rebuild and recover systems in the event of a cyber-attack or ransomware impact and eliminate any need to pay ransom. Most law enforcement agencies and cyber experts would caution against paying the ransom as it may open the victims up to further exploitation and potential identity theft.

Financial services organisations and their leadership have a duty to protect their customers’ financial interests as well as their own institutions. This begins with a dedicated cyber agenda at the board level along with the formation of a cybersecurity action committee reporting directly to the CEO.

Bank-wide vulnerability assessments across all of the business units that are C-level driven and business-aligned should be prioritised. Additionally, a dedicated cyber security business unit should be formulated with the goal of assessing and implementing new types of capabilities, processes and functions to combat growing threats.
Finally, encouraging bilateral and multilateral communication mechanisms with other banks in the marketplace, and interfacing with regulators to inform of threats and share information of potential breaches as well as threat intelligence from local, regional, and international partners can provide the contextual understanding needed to proactively defend institutions from future threats.

About Booz Allen Hamilton

Booz Allen Hamilton has been at the forefront of strategy and technology for more than 100 years. Today, the firm provides management and technology consulting and engineering services to leading Fortune 500 corporations, governments, and not-for-profits across the globe.

In the Middle East and North Africa (MENA) region, Booz Allen builds on six decades of experience partnering with public and private sector clients to solve their most difficult challenges through a combination of business strategy, digital innovation, data analytics, cybersecurity and resilience, operations, supply chain, organisation and culture, engineering and life-cycle project management expertise.

With regional MENA offices in Abu Dhabi, Beirut, Cairo, Doha, Dubai and Riyadh, and international headquarters in McLean, Virginia, the firm employs more than 23,300.