The Bank of England’s CBEST cybersecurity assessment program found that financial organizations are failing when it comes to basic cybersecurity practices.
The lengthy report doesn’t specify how widespread the financial firm cybersecurity failings are, but any lack of basic cybersecurity controls in the critically important financial services sector is alarming.
The “CBEST thematic” is based on 13 CBEST assessments and penetration tests of financial firms and financial market infrastructures (FMIs). The report details failings in areas like patching and hardening, identity and access control, detection, encryption, network security, incident response and employee training.
“Maintaining strong cyber hygiene is not a one-time exercise but a continuous effort to reduce exposures and strengthen resilience,” the BoE report said. “In today’s evolving threat landscape, tactical fixes alone are insufficient. While quick remediation may address immediate vulnerabilities, it often leaves underlying weaknesses unaddressed.”
The report urged organizations to consider the underlying causes of cyber risk and systemic gaps that can lead to recurring vulnerabilities, such as poor asset management, weak identity and access controls, or inadequate third-party oversight. “Addressing these foundational issues will create sustainable security improvements rather than temporary patches,” the report said.
BoE Recommendations for Financial Firm Cybersecurity
The BoE report includes findings and recommendations spanning five cybersecurity areas, three on technical controls, one on detection and response, and one focusing on staff culture, awareness, and training.
It also contained four broad recommendations:
- Patching, configuring and hardening was one. “To reduce the likelihood of severe cyberattacks firms and FMIs should look to harden operating systems, including by patching vulnerabilities and securely configuring key applications,” the report said.
- Preventing unauthorized access to sensitive systems and information can be helped with strong credential management and passwords, multi-factor authentication (MFA), secure credential storage, and network segmentation.
- Effective detection and monitoring and alerting and response processes “are key to reducing the impact from cyberattacks.”
- Risk-based remediation plans with proper oversight will “ensure the successful remediation of technical findings, including vulnerabilities.”
The full report also contains detailed recommendations from the UK’s National Cyber Security Centre (NCSC).
Financial Cybersecurity Weaknesses Detailed
In the area of infrastructure and data security, the CBEST assessments found weaknesses in infrastructure security, asset management and application security. Findings included:
- Inconsistently configured endpoints and insufficiently hardened or unpatched systems
- A lack of encryption of data-at-rest
Identity management and access control weaknesses included weak enforcement of strong password standards and secure password storage, overly permissive access controls, and inadequate restrictions on administrator and service accounts.
Weaknesses in detection and response included poorly tuned monitoring or alerting for endpoint detection and response and data exfiltration.
Network monitoring weaknesses included inadequate traffic inspection for threats like attackers hiding malicious activities in seemingly legitimate traffic or enabling outbound connectivity from unmonitored devices.
Network security weaknesses included inadequate network segmentation, such as segmentation between critical assets and between development and production environments, and inadequate application of least-privilege principles.
Staff culture, awareness and training weaknesses included:
- Staff susceptible to social engineering tactics were more likely to be vulnerable to simulated attacks aimed at credentials or system access
- Users routinely storing credentials in unprotected locations such as in spreadsheets or in open file shares
- Insecure protocols for helpdesks, such as limited or no authentication of users
“Given the sophistication of some attackers, it is important that firms and FMIs are prepared to handle breaches effectively, rather than relying solely on protective controls,” the BoE report said. “In addition to technical measures, we continue to observe challenges in staff culture, awareness, and training, highlighting that technical measures alone are not sufficient.”
Threat Intelligence Programs Also Assessed
The CBEST assessments also found “a range of maturities across cyber threat intelligence management domains.” Threat Intelligence Operations was the strongest area in self-assessments, while Program Planning and Requirements had the lowest self-assessed score.
“This suggests that although day-to-day threat intelligence operations are effective, the underlying aspects such as strategic planning, defining requirements, establishing governance frameworks, and mapping out long-term capabilities are less developed,” the BoE said. “As a result, firms and FMIs may experience a disconnect between the intelligence produced and their actual business or operational needs, potentially resulting in inefficient allocation of resources, and difficulties in scaling or evolving their threat intelligence programmes.”
