Cyber Risk Management – It’s not just for the IT Department!

Cyber Risk Management – It’s not just for the IT Department!

In June this year, Boomerang Video Ltd, a small business selling and renting video games, was fined £60,000 by the Information Commissioner. Why? Because in 2014 an attacker got into its customer database, obtained payment card details and used them to commit fraudulent card transactions. Boomerang is one of an ever increasing number that has experienced a data breach as a result of a cyber-attack.

We hear and read about this type of cyber event every day, another business compromised, more client information stolen and used to commit fraud.

Any business processing card payments is liable to such a risk, so surely it’s just sheer, bad luck, isn’t it? Well no, it isn’t.

Businesses are judged not only on the quality of their products or services, but how they are managed. For many, risk management is a high business priority and is embedded in their culture. Any business, regardless of size or maturity needs to identify measure and manage risk.

The Information Commissioner fined the company because it ‘failed to take basic steps to stop its website being attacked’. Like many businesses, Boomerang paid another company to build its website. A coding error within the website login page had left a vulnerability that was never fixed. This was exploited using a SQL injection attack embedded with malicious code to gain access to the customer database.

Perhaps if Boomerang had considered security as a risk and had the website independently checked for vulnerabilities, then this cyber-attack may have been prevented. It would also have saved them the £60,000 they paid as a fine to the Information Commissioner.

Managing all types of risk is a part of running any business and includes cyber security risks to digital services, computers, networks, connected/operational technologies or information. Cyber security isn’t only the responsibility of the IT department or the System Administrator maintaining and running the business IT network, it is one element of the entire business risk management process.

It’s essential that a business and organisation understands which of its assets are important to their survival, for example, client data, intellectual property, the availability of their IT network. It’s just as important to know how to protect any or all of these and to implement suitable risk mitigations, for example, security procedures, processes and technical controls. These, together with an internal strategy to mitigate reputational risk all help to minimise the impact of a cyber-attack.

An estimated 3 million British businesses were compromised by a cyber-attack in 2016 with total losses amounting to £30 billion. These figures are likely to be even greater next year.

When the General Data Protection Regulation (GDPR) comes into force in the UK on 25 May 2018, specific legal obligations mean that all organisations will have significantly more legal liability if they are responsible for a breach. They will also be subject to higher penalty fines of up to 4% of annual global turnover, or €20 million, whichever is greater.

With the imminence of the GDPR implementation, reviewing cyber risk ought to be high on the agenda of all Management Boards as part of their security governance.

Effective Risk Management needs to include all parts of a business or organisation, including its supply chain. In the case of Boomerang, it was the absence of a comprehensive risk management process that in the long term cost them their £60,000 penalty.

Cyber Risk Management is the responsibility of everyone within the business or organisation as cyber security awareness has to happen at all levels. Good communication is fundamental to maintaining an understanding of the constantly evolving security risks.

Although there are many technical methodologies available to identify, assess and analyse cyber risk, there are some common risk management principles which are easy to understand:

  • Identify. Identify Risks early and repeat regularly.
  • Analyse and Prioritise.   Analyse the Risks you’ve identified to understand the consequences if they materialise and prioritise to the ones that need to be managed first. • Plan and Schedule.  Use the Risk Analysis to plan which security controls will be implemented and when.
  • Risk Treatment.  Implement the technical, procedural and personal security controls that will control the risks.
  • Monitor. Track and review the controls to confirm they are effective at mitigating your risks.
  • Learn.  Use the experience to raise security awareness and influence staff behaviour.

How much risk a business or organisation is willing to take to meet their objectives is referred to as risk appetite. Risk Appetites will vary according to a number of factors, including the business’ size; its culture and objectives and the sector it operates in. Even within a company, the Risk Appetite can vary enormously, for instance, the Finance department generally has a very low risk appetite, whereas the Business Development teams has are quite frequently prepared to take large risks to win new business. Ultimately the level of Risk Appetite is a Management board decision but it needs to be communicated throughout the business so everyone is aware.

There are a number of Certification schemes which include Risk Management as part of their core process. For many larger businesses and organisations the most common is the ISO/IEC 27001 Information Security Management System. For smaller companies, alternatives routes toward assessing risk and implementing a cyber risk management progress include the Government backed Cyber Essentials (CE) scheme or even the National Cyber Security Centre’s 10 Steps to Cyber Security which provides concise information to help establish an effective cyber risk management regime.

The CE scheme launched in 2014 is a good place to start with the assessment and management of cyber risk. Its question set is designed to provide a snapshot review of business cyber security practices. Going through the CE assessment identifies areas where improvement is required.

The UK government maintain that about 80% of cyber-attacks would be defeated by basic security controls being applied regularly. Verizon, the global Enterprise technology company has produced a cyber Data Breach Investigations Report since 2010. They state that 99% of cyber breaches involved techniques that were not considered highly difficult.

The increasing number of cyber-attacks and the changing regulatory regime means one thing is clear, there’s no room for complacency. If you can’t afford the fines or the effect of the reputational damage on your business, manage your cyber risks!

Learn more about how to protect your business from cyber-attack by reading additional blogs on our website.

Jane Chappell, FBCS, is the Operations Director at Arcanum IS Ltd, a specialist Cyber Security Consultancy working with Businesses, Government and Defence Industry. One of few Lead Security & Information Risk Advisors and Auditors certified by the National Cyber Security Centre, Jane was one of the first people to gain a MSc in IT Security from Royal Holloway University. As an Army Reserve Officer she led and tasked Technical Cyber Teams worldwide and was the first woman to command a Reserve Cyber Unit.