Working Out The Cyber and IT Risks & Threats To Your Organisation
One of the core aspects of Boardish is to find and quantify IT risks and solutions. So, how do you figure out your threats and risk?
What Is Risk?
In business terms, risk means exposure to circumstances that can cause financial costs/loss or reputational loss whilst various threats can cause this risk. In extreme cases, risks, including cyber and IT risks, can threaten the survival of a business.
Risk isn’t a one-size-fits-all concept, however. The level of risk – and its potential effect – depends on the profile of each business and the industry in which it operates.
The riskiest industries are those that are vulnerable to sudden shocks and ongoing volatility, such as petroleum processing, fossil fuel extraction, mineral mining, and heavy industry. Conversely, industries with relatively low risk include healthcare provision, waste management, and food processing. Essentially, if there’s heavy, unyielding demand and scope for uninterrupted supply, risk is low.
The financial industry tends to be risk-averse, but this a broad statement that fails to capture the nuance of individual sectors. Take hedge fund management, for example. Investments are nurtured over the long term, which allows companies to absorb temporary downward movements and deliver growth over the course of an investment. It is, therefore, a relatively low-risk part of the financial industry. On the other hand, sectors that deal in the short-term, and its inherent volatility, face a greater level of risk. Payday lenders, white knight investors, and creditors in unstable economies are particularly vulnerable.
For cyber and IT professionals, risk tends to centre data as its key variable. How data is managed, processed, threatened, and recovered is the foundation of a risk profile in the IT industry.
Again, data risk is not universal. For example, if a restaurant experiences a data breach, the loss will not be as substantial as it would be for an insurance company, which keeps highly sensitive medical, financial, and personal data.
That’s not to minimise any form of data risk. There’s no such thing as a risk-free business, and organisations must have policies and personnel in place to ensure that data breaches and other cyber threats are avoided.
Types of Cyber and IT Threats
More than half of businesses report that they have been a victim of a cyber attack. With just a few examples being:
The portmanteau of “malicious software” is an umbrella term referring to any program designed to cause harm to a device, network, or server. Within the spectrum of malware, there are several sub-categories, including viruses, ransomware, spyware, trojans, and adware.
The use of malware is a serious risk for any company. In fact, the average cost of a malware attack is $2.4 million. Depending on the extent of associated customer data breaches, the reputational damage can also be devastating.
Ransomware is a form of malware in which the attacker aims to extort a payment from the victim. To do this, the attacker accesses and encrypts the victim’s data, then sets a ransom in exchange for the unlock code. In 2019, the average ransom demanded is $36,295. Although there are varying degrees of ransomware sophistication, an attack can be triggered by something as seemingly innocuous as a link in an email.
When it comes to ransomware, prevention is better than cure. Retrieval of encrypted files is often expensive and sometimes impossible. It also raises questions over whether engaging with the attacker – and indeed giving them money – contributes to a criminal cycle that not only makes the victim a repeated target but also endangers other companies.
Specialist software, staff training, and ongoing vigilance helps businesses to avoid the damaging effects of ransomware attacks.
Some cyber attackers pretend to be from a trustworthy, reliable source and use that established trust to extract data from their victims. This is the essence of phishing.
When aiming for businesses, attackers will often pose as representatives from banks and other financial institutions, government departments, suppliers, and even other parts of the company. Anything that stands the test of plausibility.
Phishing can be difficult to spot, because the most sophisticated attackers research and replicate the “normal” behaviours of trustworthy parties.
When most people think of cyber crime, hacking is the first thing that comes to mind. Any unauthorised accessing of a digital device or network – whether malicious or not – counts as hacking. The stereotypical image of a loner in their bedroom is just one form of hacker; more sophisticated operations have large teams of experts.
Like malware, hacking is an umbrella term for a range of activities intent on compromising business and personal technology.
DoS and DDoS Attack
One of the most prominent categories of hacking covers denial of service (DoS) and distributed denial of service (DDoS) attacks. Both DoS and DDoS involve maliciously disrupting a web server, making it unreachable to users. The difference between them is essentially scale; a DoS attack can be conducted with one computer and connection, while a DDoS involves several devices target a server simultaneously.
Billions of passwords are stolen every year. Individuals may be targeted for a specific reason, or included within a large-scale data breach. Credentials that are easy to guess or otherwise inadequate can leave accounts susceptible to thieves; in 2018, 81% of business data breaches were caused by weak passwords.
Best practices such as avoiding common terms and requiring a combination of letters, numbers, and symbols are ineffective if strong passwords aren’t kept securely. A scrap of paper containing account credentials may as well be a neon sign. All staff must, therefore, be trained in keeping their passwords safe from potential theft.
Although it can result in compromised data, poor management of passwords by employees is a relatively innocent form of internal risk.
It’s an unfortunate fact that a small percentage of employees may have more sinister intentions. Whether acting unilaterally or on behalf of someone else, staff might be inclined to leak sensitive information. That is not to say that the overwhelming majority will, but in mitigating risk, it is best to plan for the worst-case scenario.
This is why access to sensitive data is limited to essential staff. Open season increases the risk of unauthorised transmission, which can be extremely costly for a business.
Laptops and handheld devices are perilously easy to lose, and so too, easy to steal. Most devices are password-protected, but extraction of data is still possible. Accidents do happen, but it goes without saying that all employees with company equipment should store and carry it securely. The same principle applies if they are able to access work-related data – such as emails – on personal devices. This practice should be actively discouraged, and if used in an emergency context, it should not become habitual.
Assessing the Impact of Cyber and IT Threats & Risk
It’s imperative that IT managers and cyber specialists analyse the possible impact of risk to their organisations.
IT professionals within a business will be aware of potential threats, but as technology develops so rapidly, the analytic process should be continuous.
Once a threat has been identified, it should be carried through to an impact scenario. IT managers should follow this procedure:
- What are the immediate threats if an identified risk scenario happens to the company?
- How would this impact all users within your organisation?
- How will working capability be limited, and for how long?
- How many people will be involved?
- Will the business be disrupted, and for how long?
- Are there backups in place?
- What is the solution, and how long does it take to implement?
- Are specialists trained in responding to this scenario?
- Is there a risk to your brand and market positioning if this threat were to happen?
This level of enquiry is certainly detailed, but it’s crucial to ensuring proper preparation for any or all threats. If a risk scenario were to happen in real life and you weren’t prepared, it makes recovery far more challenging. Don’t have regrets!
Case Study Examples
Let’s assume you own a restaurant. Your cyber risk profile will be lower than an international bank or insurance company, but threats will still exist.
These are 3 possible scenarios that could play out:
Example 1: Ransomware Attack
One morning, the restaurant’s manager opens an email from an unknown sender on a company computer and clicks a link. A ransomware attack is initiated, and the criminal demands $1000 to unlock the restaurant’s files.
The restaurant recruits a freelance IT specialist to help. Fortunately, their data is backed up daily on a cloud-based server, so the IT specialist formats the hard drive, reinstalls the operating system, and restores data from the cloud. A small amount of data is lost from the morning of the attack.
The short-term impact of the attack were as follows:
- The infected computer was out of commission for most of the day.
- The restaurant paid the IT contractor $500 to fix the problem.
- There was slight disruption to managing data during the day of the attack, and a small amount of data was lost.
Fortunately, as data was backed up on a cloud-based system, the long-term impact was negligible. Staff were retrained on detecting and avoiding ransomware attacks.
Example 2: Phishing Attack
One of the restaurant’s employees takes a phone call from a person claiming to work for a bank. The caller informs the employee that there is a problem processing payments, and that the restaurant’s accounts have been frozen. The caller then asks the employee to provide details of their banking login details.
This doesn’t sound right to the employee, so she approaches her manager. They agree that this could be a phishing attack, so they ask the caller to give them a phone number and they will call back. A phone number is provided.
The manager then calls the bank on their official number and explains what has happened. The bank has no knowledge of the alleged payment issue, and reiterate that they would not speculatively ask for credit card details over the phone.
The restaurant avoids the phishing attack, thanks to correct action from the employee and her manager. If they had provided login information, this could have been used to extort data or money from the restaurant, causing immediate financial damage.
Example 3: Equipment Theft
The restaurant’s owner is travelling by train one afternoon, when she notices that her smartphone is missing. Her phone gives her access to the restaurant’s email and social media accounts, as well as a banking app from which the restaurant’s finances can be managed.
Her smartphone is passcode-protected and can also be accessed by Face ID. When she notices the phone is missing, she accesses her cloud-based account and disables the phone. She also changes her email, social media, and banking passwords.
Had the device not been password-protected, a potential attacker could have immediately accessed sensitive data. Similarly, if she had not taken swift action to disable the phone and change login details, a hacker could have maliciously used this information to cause financial and reputational damage to the restaurant.
Top 5 Tips for Finding Solutions to Cyber Risk & Threats
- Thorough preparation. This sentiment is worth repeating: prevention is better than cure. Have rescue plans in place as soon as a risk is encountered, and ensure that all relevant staff are properly trained.
- Go cloud-based. As far as possible, use cloud-based systems to manage data. If equipment is compromised, data will be available for backup or immediate quarantine.
- Choose cost-effective solutions. It can be tempting to over-prepare for every risk, but an overly expensive IT budget is unlikely to be approved by the board. Strike the right balance between cost and benefit.
- Have the right people on board. No matter the size of a business, you must have access to specialists who can help in an emergency. For large organisations, this will usually be managed in-house. Smaller businesses may opt for a freelancer or train an existing employee.
- Keep up to date. New threats appear on a daily basis. Cyber professionals must keep up with any developments that are pertinent to their business or industry, and implement the right solutions as quickly as possible.
Presenting Budget Requests to the Board To Mitigate Risks
Solutions to cyber and IT risks tend to be expensive, and to secure the required budget, IT managers must present a cost/benefit analysis to the board.
Problems are often caused by miscommunication. IT budget requests must be made in language the board understands. This usually means expression in financial terms. To do this, the risk must be quantified.
Enter, Boardish. Using this IT tool, CTOs can quickly and comprehensively translate technology risks into a format the board understands. Threats and solutions are quantified, allowing the board to analyse and approve requests without delay.
To find out more about preparing for your next board meeting, check out this guide from Boardish.