Rebecca Grogan on Governance, Risk Managment & Audit

Views are my own

Cyber Risk Considerations

Cyber security is the process of protecting and recovering networks, devices and programs from any type of cyberattack. Cyber attacks are usually aimed at accessing, changing, or destroying sensitive information, extorting money from users or interrupting normal business processes. According to Microsoft, in 2019, 44% of employees of Ireland companies have experienced problems with hacking, phishing and cyber fraud [1].

The cost of a cyber attack to businesses can be astronomical from a financial, operational, regulatory and reputational point of view. A 2019 study by IBM showed that the global average cost of data breaches to businesses was $3.92 million dollars or $150 per record, with 51% of data breaches being caused by malicious attacks [2].

The Covid-19 pandemic saw a massive spike in cyber attacks around the globe this spring according to a report by Microsoft [3]. The report noted that based on overall trends, it appeared that Covid-19 themed attacks were at the cost of other attacks in the threat environment. Criminals launching Covid-19 campaigns were shifting tactics as they always do, seizing on the opportunity presented by the pandemic.

The best defence is a strong cyber security system with multiple layers of protection spread across computers, devices, networks and programs as well as employees making smart cyber defense choices.

Types of threats:

  • Ransomware: This is a type of malicious software designed to extort money by blocking access to files or the computer system until the ransom is paid. But thieves can’t be trusted - paying the ransom does not guarantee that the data or system will be restored. What is to stop the attacker doing it again as the company was willing to pay up once?
  • Malware: This is a type of software designed to gain unauthorized access or to cause damage to a computer.
  • Phishing: This is the most common type of cyber attack, where fraudulent emails are sent that resemble emails from reputable sources. The aim is to steal sensitive data like credit card numbers and login information.
  • Social Engineering: This is a tactic used by cyber attackers to trick people into revealing sensitive information. They can solicit a monetary payment or gain access to confidential data. Social engineering can be combined with any of the threats listed above to make people more likely to click on links, download malware, or trust a malicious source.

Impact of a cyber security breach:

The impact from a cyber security breach are numerous, including:

  • Financial: Reputation and trust is lost impacting on customer acquisition and retention ultimately leading to revenue loss.
  • Operational: Business disruption & System downtime. A lot of lost time in investigating and rectifying the issues that caused a successful cyber attack.
  • Regulatory fines

Success factors in managing cyber risk:

  • Business Alignment and Management buy in: Alignment of business strategy and security objectives is necessary to ensure the security framework matches the direction, goals and objectives of the company. Executive management should drive the security strategy to ensure that it is a key business focus.
  • Sound governance practices: There should be clear measures of transparency and accountability at senior level to ensure the security strategy is enforced effectively.
  • Keep up to date: A security strategy is not a static document - there are always new threats and companies need to be evolving its security strategy with continuous security hardening. Stay on top of security news, learn how attackers are targeting their would-be victims and act accordingly. This is expensive, but given the cost involved should a breach occur, it is necessary.
  • Culture: Companies should facilitate a culture of openness when managing security. This fosters innovation and ensures that people do not hide problems but fix them. Good news should be celebrated and lessons learnt shouldn’t focus on the individual, but instead focus on the overall process and system.
  • Education: Well trained staff is a key line of defense against cyber-attacks. Effective ongoing training makes for a strong human firewall and helps to reduce the likelihood of a successful attack, by providing staff with the knowledge to avoid unintentionally downloading malware or succumbing to phishing or social engineering attacks.

References

[1] Microsoft - Securing the Future 2020 THE STATE OF CYBERSECURITY IN IRELAND
[2] IBM - 2019 Cost of a data breach report
[3] Microsoft - Exploiting a crisis: How cybercriminals behaved during the outbreak