Hemant Dusane, Information Security and Risk Management professional, RAGE Frameworks Inc.
No industry sectors are entirely immune from cyber-attack risks. The digital interconnectivity of business operations, suppliers and customers mean that any organization is vulnerable to potentially catastrophic electronic data theft or sabotage. This inter-reliance between organizations and growing prevalence of cloud computing, social media, corporate ‘bring your own device’ policies, big data and state-sponsored espionage have catapulted cyber risk into one of the top concerns of business leaders today.
Risk Management consulting as an industry and practice can be viewed through the lenses of institutional theories (institutional entrepreneurship), transaction cost economics (principal-agent problems, transaction costs of outsourcing advice and implementation)and organization theories that study professional service firms (PSF).
Risk has three dimensions:
- Degree of probability
- Magnitude of the consequences
All three dimensions of a risk are independent: a positive or a negative risk may be either highly probable or very unlikely, and the extent of its consequences may be very small or very large. For risks with which risk management typically deals, the direction is negative, the probability is slight, but the consequences may be disastrous.
Risk management is the process of planning, organizing, directing, and on trolling resources to achieve given objectives when surprisingly good or bad events are possible. Almost all organizations strive to manage risk for three fundamental reasons:
- To safeguard resources from surprising losses
- To be prepared to seize surprising opportunities
- To limit uncertainty, both in their minds and in the world
These three goals stem from the nature of risk itself, which we defined earlier as the possibility of a surprisingly bad, or a surprisingly good, event.
EMERGING trends in cyber risk:
- CYBERCRIME IS ON THE RISE: Breaches increased by 23% in 2014.
- SMALL TO MEDIUM BUSINESSES TARGETED: In 2013-14, 60% of all attacks were focused on smaller organizations.
- CRIMINALS LOVE SOCIAL MEDIA: 70% of social media scams in 2014 were manually shared by people to their friends
- STEALTH ATTACKS: It takes businesses on average 8 months before they realize they have been breached.
- ATTACKS ARE LONGER: 19% of companies experienced constant attacks (2014) - More than a 300% increase from 2013.
- ATTACKS ARE MORE TARGETED: Companies admit that they can only successfully repel these attacks for 1 day or even less.
- Internet of things expands cyber “attack surface”: Due to BYOD policies, employees come to work with a compromised wearable device. This creates a new type of cyber risk for organizations – with significantly increased complexity and exposure.
Data breach, Social media and brand equity risk:
Data breaches can be Epic-Fails with far-reaching and destructive implications for brands. Once sensitive consumer information—payment-card data, home addresses, phone numbers—are stolen, the ramifications can include federal investigations, appearances by company execs before legal committees, class-action lawsuits, and months of scathing headlines, all of which can precipitate a major loss of consumer trust. Big companies spend millions, billions of dollars building their brands over 20, 50, 100 years. If something bad happens, like the breach at Ebay/Target, all that can be gone in one fell swoop.
All types of industries are facing the rise of security breaches that are costing millions of dollars to companies and for the first time in 2013 losing millions of identities too. Hackers have changed their methods of attack, where e-mails were the prime focus in 2012, now it is through downloads and the move to mobile devices that has provided another route for infestation.
In parallel to data breach, social media also cause brand equity risk in overt way. Most companies recognize the power of social media which can be a useful tool in promoting a company’s brands, but can also be a double edged sword when things go wrong. Social media sites are increasingly becoming the way we read and comment on the day’s events. It can also be an outlet for disgruntled employees, customers and special interest groups looking to cause harm or damage to a brand. The ability to quickly spot and respond to trends involving your products is crucial in today’s world. Increasingly, companies today are taking a proactive approach to social media to both mitigate risk and build trust with consumers.
Attack Techniques during June-2015:
- RANSOMWARE: Cybercriminals encrypt networks and computers and extorting money from the owners in exchange for the encryption key. [Increased by 113% in 2014, COST: $300-$500 dollars.]
- SPEAR-PHISHING ATTACKS: An e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data.[Account for 91% of all emailing attacks, TREND: Sent via valid, but stolen corporate emailing accounts.]
- MOBILE MALWARE: Designed to disable a mobile device, allow a malicious user to remotely control the device or to steal personal information stored on the device.[17% of all Android apps are disguised malware (Symantec, 2014), around 1 million apps on the market used to steal information such as mobile banking details and confidential emails.]
- TROJANIZED SOFTWARE: Hackers hide their malware inside of software updates, and wait for the company to infect itself with the update.
Risk Mitigation Methodology
First and foremost, companies should take all possible steps to safeguard sensitive data. An ounce of prevention (millions of dollars in technology upgrades and IT hires) can outweigh a pound of cure (many more millions of dollars and months of PR, social and paid-content spinning as a brand’s image threatens to go down the tubes).
- Follow best practices: Enforce Strong Passwords, Firewalls, Antivirus Software, Encryption.
- MANAGED SECURITY SERVICE:Build live defence against cyber criminals and Up-to-date system protection.
- PENETRATION TESTING:Secure your IT Infrastructure by conducting a comprehensive test on its safety. Remove vulnerabilities before they can be exploited in real-life.
- MANDATORY BREACH REPORTING:Independent laws & governing bodies will penalise companies who do not report breaches in their networks.
- RISK ASSESSMENT:Have a clear understanding of your system and devices that support it. Secure your end-points to prevent attacks from the inside.
- STAY SAFE:It is always better to be proactive with your IT Security, so when the time comes, you don’t have to be reactive.
Waiting until the damage is done and trying to rectify it is too late. Having a plan for your corporate response to a breach, how you will minimise the damage, and what will be done to rectify the problem should be mandatory.