Firms lack cyber recovery plans for 'doomsday scenarios', says Bank of England

John Milne urges companies to check that their recovery solutions would work in worst-case situations

Organisations that are victims of cyber attacks currently lack recovery plans for "doomsday scenarios", according to John Milne, head of resilience in the special resolution unit at the Bank of England.

Speaking on a panel discussion at Infosecurity Europe 2013, Milne told delegates that firms could enhance their ability to react to cyber attacks by checking their recovery solutions work at all times, and for worst-case scenarios.

"Practise them regularly to see if they work and remain relevant to business. This is quite a challenge; it's hard for firms to focus on the doomsday scenarios," he said. "Last year RBS' IT problems affected 17 million customers, but that didn't figure anywhere in RBS' scenario planning [at the time] or indeed in other big retail banks."

Mark Jones, CISO at BAA, said this is something he has worked on in his time, but in many other firms he has seen there is less of a focus on recovery and more on prevention.

"I've consistently seen it over the last ten years, less from the operation function on how to restructure the system than how to put IT in place so it doesn't go over. If it does go over, how do you get it back together? You're running with a bunch of latent operational risks," he stated.

Network Rail's head of information security, Peter Gibbons, agreed with Jones and Milne, stating that Network Rail faces a big challenge to be able to practise its recovery solution.

"Trying to get people interested in particular for events that are high impact but low likelihood - but where the nature of the attack is highly variable - is a real challenge. The most difficult thing [for Network Rail] is the complexity that we've built into the systems, so trying to respond to an incident... you get to a point where it is so complex, where it is non-understandable," he said.

"It is critical, but being able to recover because you know what has gone wrong is really tough," he added.

The Bank of England's Milne believes organisations can follow the government in focusing more on recovery.

"The government has some lessons to teach us in terms of thinking of the unthinkable. Government principles in information assurance mean that you start to think of unthinkable scenarios in risk management," he said.

"You have to think about the worst case, it's about being ready for doomsday."