[BreachExchange] Cyber security: no longer just 'an IT problem'

Mon Jun 25 19:51:12 EDT 2018

https://www.itweb.co.za/content/KA3Ww7dl34D7rydZ

No business risk in the 21st century has created more challenges and
concern to boardrooms and C-suites than cyber security risk.

Reputations have been destroyed with customers and shareholders, and recent
lawsuits have raised questions challenging the integrity of senior
executives when faced with managing the impact of a cyber attack.

The media have been unforgiving and it is very clear that no nation,
industry sector, company or individual is immune. For this reason, it is
clear that responsibility for cyber security starts at the top, and
oversight of a comprehensive and measurable risk management programme sits
with the executive leadership teams.

Today, the cyber risk has extended far beyond being "an IT problem." It has
become a serious issue of business continuity and core responsibility of
executives of businesses of any size to protect shareholder value.

The World Economic Forum Global Risks Report 2018 identifies cyber attacks
and data fraud or theft as the joint third-biggest risk in terms of
likelihood that highlights a clear and present danger of "if not when" an
organisation will suffer the impact of loss caused by a cyber attack.

Cyber risk ultimately poses a threat to the balance sheet, however brand
damage and an overall threat to confidence is what should be on every
business leader's mind. If an attacker were to gain access to your
information technology or operational technology, there are many ways in
which they can cause serious harm.

The following consequences are very real as a results of the technology
growth factors that have shaped the risk landscape:

Data breach: Sensitive information such as personal data including
accessed, lost or leaked. This is covered by many US and European
Regulations as confidential to your personally identifiable information or
healthcare information is organisation.

Transactional fraud: compromised business e-mail accounts or social
engineering attacks through manipulation that lead to fraudulent electronic
payments.

Cyber extortion and ransomware: Information which an attacker threatens to
expose by blackmailing the victim into paying them and/or; data that
inaccessible because it is encrypted until a ransom demand is paid to the
attacker.

Network security liability: causing damage to a third party because of
transmitting malware on to their IT systems.

Business interruption and disruption: caused by operational error or
malicious software (malware) causing your own or third party services to be
unavailable for a period of time.

Reputational damage: information revealed that could have short or long
term consequences of your own reputation or that of third parties such as
suppliers or customers.

Intellectual property theft: unauthorised access and theft of critical
insights and knowledge such as market sensitive data, corporate strategy
plans, designs and trade secrets, including merger and acquisition data.

Espionage: gaining access to commercial secrets and data not always
necessarily owned by the organisation, such as unreleased film scripts and
high net worth individual insurance policies.

Sabotage: deliberate damage to an organisation's ability to operate and
potential physical damage to assets.

Embarrassment: Revealing material that could cause humiliation for staff,
shareholders and third parties.

Internal reputation: Exposing data which could lead to rumour spread and
create fear, uncertainty and doubt among employees in an organisation.

For these reasons, it is critical that organisations remain vigilant and
proactively address ways in which to deter, prevent, detect, respond and
recover from cyber security breaches.

It is also important that every business leader asks themselves and their
enterprise risk teams (political, financial, and operational and security)
the following key questions:

What does cyber risk mean to them?
Who is a threat to them and why?
What measures seem proportionate to treat the risk their organisation faces?
What is a reasonable price to pay for that mitigation?

With this ever-evolving and growing threat to business survival, cyber risk
should find itself firmly near the top of every organisation's Enterprise
Risk Register with the necessary resources being thrown at it to
effectively mitigate such a critical risk.

If this subject is not being discussed regularly on the board and C-Suite
level, then organisations need to start educating their leadership teams so
that cyber risk management can get the 'top-down' support it requires.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180625/edbd11b6/attachment.html>