Financial institutions (FIs) should adopt an asset-based approach to cyber risk, as the number of attacks continues to grow, experts say.

According to speakers at the FIX Trading Community Emea conference, the traditional all-in-one IT approach is not working, and FIs should instead build IT systems tailored specifically to each asset class on their balance sheet, giving priority to the most lucrative ones.

“You need to take a non-traditional approach. Unfortunately we’re getting all these breaches because everybody is still persevering with the traditional route, which is not actually looking at the balance sheet, the key assets and trying to understand which IT infrastructure you have to support the operation that creates wealth. You’ve got to tailor your defences according to that, and it’s not happening,” said Alex Fidgen, group director of cyber security firm MWR InfoSecurity.

He also suggested that geopolitical monitoring could be an important part of cyber protection, as attacks are generally politically motivated, targeting organisations that support – either publicly or in private – certain government policies.

He referred to the virus allegedly used by Iran on Saudi Aramco in 2012, which wiped most of the company’s computers and forced it to shut down its internal communication system. The hacking was seen by many as retaliation against Stuxnet, the computer virus used by the US and Israel to destroy centrifuges in an Iranian nuclear facility in 2010.

Since then, Fidgen said, Iran has been “consistently poking and prodding the US bank network” with small-scale attacks, and other countries have been looking at financial markets as an increasingly relevant target to hurt political adversaries.

“If I wanted to attack a nation-state for instance, could I use cyber in a really clever way to put such a burden on the reserve bank so that the nation could directly be made to suffer through its financial industry?”

“Your chief executives or senior board members expressing political views – that makes you a target. It brings the question: is geopolitical tension being measured properly in your organisation as a form of indicator to your likelihood of being attacked? Hardly anybody does that,” he added.

According to Fidgen, nation-states wanting to remain anonymous now give highly-organised criminal groups the remit to “do the dirty work for them”, leading to a crossover between the capabilities of the criminal organisation and the government, and making it very difficult for defensive intelligence agencies to understand attacks.

Another important aspect of cyber protection is communication: Luke Beeson, vice-president of security UK at BT, explained that the force of criminal hacking organisation lies in their ability and desire to share information, while commercial organisations generally limit communication with their peers, perhaps for fear of competition.

Regulators at a national level are poised to become increasingly involved in financial institutions’ cyber security programmes: the perfect example is the Bank of England’s CBEST Vulnerability Testing Framework, which aims to protect the UK’s financial stability by implementing a cyber attack testing system in each of its financial institutions.

Fidgen pointed out: “With CBEST the Bank of England has done something absolutely superb. The UK recognises what’s happening, and the financial industry needs to be defensively well organised for the future. As a nation we now have a financial regulator directly assigned to investigate cyberattacks.

“They’re not interested in you as an individual organisation – what they’re really interested in is whether you would have a role to play in a systemic collapse. With this scheme you will start to see this kind of cyber security structure cascade through all the regulators.”