Situational Awareness is Key

Risk Management for Financial Services

2

• BT Risk Hourglass

• BT Cyber Risk Hierarchy

• Business Case Challenges

• Justifying Risk Mitigation Expenditure

• Case Study

– The Merger

– Project Methodology

– Results

Risk Management for Financial Services Putting Things into Perspective

3

Risk Hourglass – Case Study

Detection

Prevention

Emergency Response

Incident Management

Material Event(s)

Non-Material Event(s)

Consequential Event(s)

Crisis Management

Disaster Recovery

Financial Compensation

Insurance Coverage

POS equipment infected with RAM

scraper and exfiltration malware

Data leak and malware trace signatures

detected by FireEye and Symantec AV

Critical alerts and sirens were alledged to

have been heard in India and Brazil

SOCs.

SOC teams were reported to have alerted

CERT who in turn alerted IT

management.

SOCs ordered to turn off alerts/sirens and

carry on by Top Management due to

Christmas Shopping backlog

Target alerted by Federal Authorities. By

then 40 million credit/debit card details

downloaded.

Estimated $420 million in customer

compensations, $100 million in cyber

insurance claims and 90 court orders.

2 w

ee

ks !

Time Money

People/Process

4

Cyber Risk Hierarchy

Operational ‘Cyber Risks’

Overload Sabotage

Infrastructure or Processes

Destroyed or Control Taken Over

Web Pages Defaced,

Abused or Infected

Systems Overwhelmed in a Denial

of Service (DDoS) Attack

Personal Data Stolen

and Exploited

Industrial Espionage

Commercially Sensitive and Valuable

Information Intercepted or Uploaded

Data Theft

Service Interruption Vandalism Theft of Information

Data Exposed,

Publicised or Corrupted

Confidentiality Availability Integrity

5 BT in commercial confidence

Business Case Challenges

An example of a common scenario we find in business today

6 6

Business Case Challenges

But the reality is very different….

7

Justifying Risk Mitigation Expenditure : Business Case

• Risk mitigation may have to

compete for funds with plans for

growth and greater efficiency

• Executive scorecards rarely

include risk reduction, but may

include growth, cost reduction

and defence of market share

• Risk mitigation aims to cut

potential losses and unbudgeted

expenditure

• Support for cost reduction is

only realistic for high frequency

risks

• Fears, Uncertainty and Doubts

(FUDs) play a major role

• Regulatory compliance is a

common theme

• Avoiding reputation and brand

damage is intangible justification

• Avoidance of regret is an

underlying principle

• Satisfying audit requirements is

valid with risk-based auditing

• Clear definition of risk appetite

makes justification much easier

8

A Case Study - The Merger

9

Project Methodology

9

Network Perimeter Discovery Vulnerability Assessment

Rogue Device Detection Risk Exposure Analysis

10 BT Assure

Results: Visibility

1

0

Assessed 250,000

endpoint devices

Extracted

configurations of 550

firewalls and 20,000

routers

Network perimeter

map of LTSB and

HBOS networks

Detailed all ingress/

egress points

11

bt.com/globalservices