BT boosts defences with Ethical Hacking for Finance

BT has launched an ‘ethical hacking‘ tool for the financial industry called BT Assure Ethical Hacking for Finance.

The solution uses methologies mimicking those of black hats or malicious attackers to provide a range of tests to challenge entry points to a company’s IT systems.

It has been designed to find vulnerabilities that could impact an organisation’s primary business processes and hence brand and reputation.

It also assesses weak points of an organisation, such as phishing scams, mobile devices, infrastructure hardware, networks, databases and enterprise resource planning systems.

As part of the solution, BT also tests for human failure, including examining how employees apply the policies. This fits with recent comments by Gartner’s Peter Firstbrook at the recent Security and Risk Management summit about the employee role in cybersecurity.

"[Security professionals] can’t do this alone. We must understand the limits of security technology and realise that properly motivated people can be the strongest link in our security chain.

"Phishing is the initial infection vector in almost 80 percent of infrastructure breaches. However, there are no completely effective technical controls for this problem. But when employees are motivated and understand the limitations of trust in email, the click-through rate of phishing emails drops dramatically."

BT will use CREST’s Simulated Targeted Attack and Response (STAR) services to develop robust security solutions.

Mark Hughes, president of BT Security, said: "The prospect of accessing confidential financial information is a powerful lure for hackers so few companies attract as much online criminal attention as banks. Apart from direct financial loss, a serious hack could lead to irreparable reputational damage.

"While much of the concern focuses on retail-banking activities, the threat is just as important for investment banks or for wholesale, where banks provide services like currency conversion and large trade transactions for major corporate customers."

According to Bob Tarzey, Analyst at Quocirca, the offering is welcome but does not constitute ethical hacking in the conventional sense:

"In this case it is penetration testing by another name. BT will be attempting to break its customer defences by invitation. It is just using the term "ethical hacking" to sex things up a bit.

"Some would say that true ethical hacking is uninvited, but with good intent. That said, it is good to see BT developing such a service focused on the highly targeted financial services sector."