By Bachir El Nakib (CAMS), Senior Consultant, Compliance Alert (LLC).
'Cyber risk' means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems
For a cybersecurity expert, the Oxford Dictionary definition of cyber threat is a little lacking: "the possibility of a malicious attempt to damage or disrupt a computer network or system." This definition is incomplete without including the attempt to access files and infiltrate or steal data.
In this definition, the threat is defined as a possibility. However, in the cybersecurity community, the threat is more closely identified with the actor or adversary attempting to gain access to a system. Or a threat might be identified by the damage being done, what is being stolen or the Tactics, Techniques and Procedures (TTP) being used.
In 2012, Roger A. Grimes provided this list, published in Infoworld, of the top five most common cyber threats:
Social Engineered Trojans
Unpatched Software (such as Java, Adobe Reader, Flash)
Network traveling worms
Advanced Persistent Threats
But since the publication of this list, there has been widespread adoption of several different types of game-changing technology: cloud computing, big data, and adoption of mobile device usage, to name a few.
In September 2016, Bob Gourley shared a video containing comments from Rand Corporation testimony to the House Homeland Security Committee, Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies regarding emerging cyber threats and their implications. The video highlights two technology trends that are driving the cyber threat landscape in 2016:
Internet of things – individual devices connecting to internet or other networks
Explosion of data – stored in devices, desktops and elsewhere
Today, the list of cyber threats may look more like this, and cyber threats are typically composed of a combination of these:
Advanced Persistent Threats
Distributed Denial of Service (DDoS)
Intellectual Property Theft
Theft of Money
Man in the Middle (MITM)
Unpatched software, seemingly the simplest vulnerability, can still lead to the largest leaks, such as the case of Panama Papers.
Sources of Cyber Threats
In identifying a cyber threat, more important than knowing the technology or TTP, is knowing who is behind the threat. The TTPs of threat actors are constantly evolving. But the sources of cyber threats remain the same. There is always a human element; someone who falls for a clever trick. But go one step further and you will find someone with a motive. This is the real source of the cyber threat.
But not all cyber threats come from foreign countries. Recently, Pierluigi Paganini @securityaffairs reported that police arrested two North Carolina men who are alleged to be members of the notorious hacking group called 'Crackas With Attitude' which leaked personal details of 31,000 U.S. government agents and their families.
Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, security includes both cybersecurityand physical security.
Top 5 cybersecurity risks for 2015. From identity theft and fraud to corporatehacking attacks, cybersecurity has never been more important for businesses, organizations and governments. Hacking experts warn there are plenty moresecurity risks ahead in 2015 as cyber criminals become more sophisticated.Dec 19, 2014
Cyber Risk Management
The risks and opportunities which digital technologies, devices and media bring us are manifest. Cyber risk is never a matter purely for the IT team, although they clearly play a vital role. An organisation's risk management function need a thorough understanding of the constantly evolving risks as well as the practical tools and techniques available to address them.
What do we mean by cyber risk?
Cyber Risk means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.
It will never happen to us….
All types and sizes of organisations are at risk, not only the financial services firms, defence organisations and high profile names which make the headlines.
Cyber risk practical guidance
Cyber and Information Management Special Interest Group (SIG) conducted extensive research into the dynamic issue of cyber threats to business, governments and global enterprises. They have produced a practical guide for risk professionals and senior executives to help demystify the issue of cyber risk.
Members of the group commented ‘the true extent of the risk has yet to be assessed – let alone managed. And the threat is very real. Risk professionals need to wake up and smell the coffee before it is too late’.
Cyber risk: Nightmare or opportunity?
BAE Systems Applied Intelligence and IRM present a journey in cyber risk perception – from doom and gloom to added value in the boardroom.
A crossroads has been reached. Cyber risk can either continue to be seen as negative – as another potential set of costs, complicate procedures and incoming legislative demands – or firms can use good cyber risk management as a differentiator from competitors as a selling point to clients, and as a measure of reassurance to stakeholders.
In the borderless world of information technology, in fact, computer-security specialists and corporate risk managers have begun working under the assumption that it’s impossible for companies to keep their networks completely free from penetration, according to the lead story of our package, “What’s the Cost of a Cyber Attack?” Given that reality, they’re zeroing in on the need to detect hackers once they’re inside the system and to respond to the attack, rather than just focusing on sealing networks from every possible breach.
“Traditionally, cybersecurity has been focused on the front protection piece,” including internal controls, employee training, and firewalls, according to Heather Crofford, CFO of shared services at Northrop Grumman, the big aerospace and defense contractor. For Northrop and many other companies, however, “detection, response, and recovery are where the increasing investment needs to be,” she says.
Since the risk can’t be completely, eliminated, CFOs are wondering if insurance policies targeted solely at cyber risk can help stem the tide of financial loss once a breach occurs. Some companies have, in fact, bought “dedicated” cyber insurance policies that provide coverage for such risk exposures, writes Lynda Bennett, an attorney who represents corporate policyholders, in “Cyber Insurance Policies: Are They Worth the Money?” Other companies are still in the evaluation phase and are appropriately wondering whether such policies are needed, and, if so, whether insurers are paying claims under them, according to Bennett.
The remaining articles discuss the increasing interest of regulators in cyber risk, how to hire the right people to stop the bleeding if a breach occurs, and the CFO’s unique role in cyber security. We hope our coverage will help you put together effective strategies and tactics to cope with the Brave New World of cyber peril.