April 2015: Feeling Lucky?

Given that this month's issue of Waters is dominated by a cyber security theme, it seems appropriate for me to wade in and deliver my two cents on the subject. But before I do, I state openly and unequivocally that I am no expert in this field ─ until fairly recently, for example, I labored under the misconception that a DDoS was just another acronym used to describe a sophisticated trading strategy devised by ex-investment bankers behind Connecticut- and Channel Island-based alternative trading shops. But, while my newby status in this realm is undeniable, I have, over the years, found the clandestine hacking world more than a little fascinating.

Anonymous ─ the poster boys of the hacking movement ─ caught the imagination of the world press back in January 2008 through its Project Chanology stunt, where it "attacked" the Church of Scientology through a mix of pranks and hacks. Back then, the public might have been forgiven for dismissing Anonymous as a bunch of rich kids on a US college campus with lots of time on their hands and a penchant for social and economic justice, but, over the following years, government agencies from around the world, PayPal, MasterCard, Visa and Sony found out to their considerable chagrin that what might have started out as a ragtag bunch of pranksters is now a sophisticated, well-connected and highly motivated organization.

And, for the time at least, it appears that no one is immune from their threat: In early February this year, in the wake of the Charlie Hebdo attack in Paris, Anonymous launched Operation Ice ISIS, targeting the terrorist organization behind the killings, while in October 2011 it turned its considerable resources to exposing known pedophiles operating in the shadows of the dark web when it unveiled Operation Darknet. In short, you probably don't want to give these guys a reason to target your organization.

But what does this mean for capital markets chief information security officers (CISOs) and their IT departments? Well, any CISO worth their salt will be justifiably concerned by such threats to their operating environments, disquiet that is likely to carry on down the corporate halls to IT departments tasked with, at the very least, mitigating those threats. If you're a betting CISO and you're comfortable sitting on your hands, the chances are that your organization will be fine. But would you want to take that bet?

In short, you probably don't want to give these guys a reason to target your organization.