From Where We Sit

Cyber risk management from A to Z: What you need to know

Third Librea Third Librea

First of two parts
The technology industry is full of jargon, and the realms of cybersecurity and cyber risk management are no exception. From assurance to employees, and liability insurance and risk management, there’s a full alphabet that employees and employers alike need to familiarize themselves with. How many terms do you know?

A is for Assurance. Can you rest on the knowledge that your organization is safe from cyber attacks? The continuous development of new methods to connect and share information increases the chance of a cyber security threat, and cyber incidents are unpredictable and unforgiving. So protecting your intellectual property, your customer’s data, and other business-critical information is pivotal to your growth, innovation and reputation. Robust assurance includes assessing how effective your current systems are, identifying key cyber risks, reviewing third-party risk management arrangements, complying with industry, regulatory and legal standards, and creating ongoing programs to preserve and enhance your privacy and cyber security systems.

B is for BYOD. Bring your own device (BYOD) is a growing trend in which employees use their own smartphones, tablets and laptops to access business servers and data. Employees want to use the devise they are comfortable with. By giving them what they want, companies will ultimately benefit. The flexibility, information technology cost savings, and convenience of this strategy do, however, have to be weighed against the cyber security risk of connecting unsecured devices to a company’s system.

C is for Cyber attacks. The number of cyber attacks causing losses in excess of $1 million have increased by 63 percent during the past three years. The annual cost of cyber attacks is estimated to hit $6 trillion by 2021, with companies set to spend in excess of $1 trillion on cyber security. Eighty percent of all cyber attacks could potentially be avoided by exercising good cyber hygiene.

D is for the Dark web. Part of the internet not visible to ordinary search engines, the dark web requires the use of an anonymizing browser to be accessed. Despite many legitimate uses, it is overwhelmingly used for criminal activity.

E is for Employees. Businesses have ploughed billions of dollars into technology and software that promises to keep cyber threats at bay. Total global spend on anti-virus software, for instance, reached $3.77 billion in 2019. Companies might have sophisticated cyber security software, but that won’t prevent the human error that’s behind many cyber breaches. After all, it’s the human workforce that responds to phishing emails and installs unauthorized software. Instead of relying too heavily on software to fight digital threats, ramp up investment in digital risk skills for employees.

F is for Fake boss fraud. A 2018 UK report by Get Safe Online and Lloyds Bank showed that more than 450,000 businesses had been hit by “fake boss” scams, with small and medium enterprises losing an average of £27,000 when targeted. Using personal data to impersonate managers or business contacts, fraudsters contact staff asking them to transfer money. The email will be carefully crafted. It may contain reference to some personal information, often gained from social media, to make it look genuine. Some 53 percent of report respondents said they had experienced scammers posing as their chief executive officer, with 8 percent having fallen victim to impersonation fraud.

G is for Grant Thornton’s cyber security services. We have identified that business rather than technology issues are exposing companies to risk. We work with organizations across the globe to identify their cybersecurity needs and plan a response to the threats. We efficiently assess risk and help our clients manage it by improving culture, technologies and processes across the enterprise. In the event of a security incident, we can provide a rapid, practical response to get organizations operating securely again as fast as possible.

H is for Hacking. The term might be overused, but hacking—any unauthorized access to information, data, or systems—remains a major threat. People traditionally think of hackers sitting in their bedrooms at 2:00 in the morning, trying to attack invisible organizations. Now, hacking is often more sophisticated than just one individual trying to hack into one system. Hacking has even developed into a highly organized industry. The sophistication allows criminals to mount cyber attacks against huge numbers of organizations at very low cost.

I is for Internet of Things. What’s more vulnerable than a device containing your personal data? A network of interconnected devices. The Internet of Things (IoT) is a growing concern: Driven by the convenience and benefits that IoT can deliver, the technology is being increasingly deployed by many organizations, with minimal thought as to the cyber security risks and potential consequences. The mundane nature of many devices prevents them from being properly protected, and smart connected devices are highly susceptible to cyber risks.

J is for Jail terms. Among the cyber sentences in recent years are: 10 months for Briton Gavin Prince for a revenge cyber attack against his former employer; five years each for Ukrainians Inna Yatsenko and Gayk Grishkyan for multiple attacks and extortion, including of a dating site; nine years for American Travon Williams for leading a gang making fake credit cards from data bought on the dark web; 12 years for Russian Vladimir Drinkman for selling 160 million credit card numbers; and 32 years for Briton Matthew Falder for online torture of victims via the dark web.

K is for Hacking kits. Available cheaply on the dark web, as well as through legal channels, hacking kits contain a variety of tools that a wannabe hacker might use to gain access to your system. Including items such as anonymity tools, carding software, keyloggers, wifi pineapples and malware, these are used to exploit weaknesses in your cyber security to gain access to confidential information. They can also be custom built to target particular software and databases, allowing the hacker to compromise your system or data, as well as potentially creating a back door so they can continue to exploit the company over the long term. On the dark web, hacking kits are often sold alongside user manuals that guide people on how to use them against victims.

L is for Liability insurance. Designed to support your business if it experiences a data breach or is the subject of cyber attacks, liability insurance may include protection against cyber extortion, costs of investigating a breach, and support to mitigate reputational damage. However, insurers often use different terms and inclusions, and many claims end up being disputed.

To be concluded next Wednesday.

Third Librea is the head of the Advisory Services division of P&A Grant Thornton. P&A Grant Thornton is one of the leading audit, tax, advisory and outsourcing firms in the Philippines, with 23 partners and more than 900 staff members. We’d like to hear from you! Tweet us: @PAGrantThornton, like us on Facebook: P&A Grant Thornton, and email your comments to third.librea@ph.gt.com or pagrantthornton@ph.gt.com. For more information, visit www.grantthornton.com.ph.

 

As published in The Manila Times, dated 12 February 2020