article banner
From Where We Sit

Cyber risk management from A to Z: What you need to know

Third Librea

Second of two parts
M is for Malware. Malware—malicious software—is designed to do damage. Cyber criminals create malware to exploit the vulnerability, to gain access to your systems, hold your data to ransom, or steal it. They may impersonate a well-known brand to deliver it via email, convincing you to click on a link or open an attachment.

N is for News. With cybercrime still on the rise, it is no surprise that across the globe news headlines frequently feature major companies like Marriott, Equifax and Facebook who have suffered a cyber attack. Failing to shore up your cyber defenses can, at best, be costly and, at worst, threaten the very survival of a company. The direct financial hit that a business takes doesn’t account for the long-term reputational damage and loss of trust that it suffers when its systems are breached and the story makes local or even global news headlines.

O is for Open doors. Open doors are parts of internet-facing infrastructure where personal information can be accessed by anyone who knows where to look. Web pages and databases that contain personally identifiable information, that aren’t secure or encrypted, can be a veritable goldmine for cyber criminals.

P is for Privacy. Interestingly, two-thirds of businesses focus more effort on mitigating data privacy than on cyber security risks, according to Grant Thornton’s latest International Business Report (IBR) survey. And the majority (59 percent) are actively preparing for the next wave of privacy regulation. This comes as no surprise, given the proliferation of data privacy regulation. But privacy is only possible if businesses ensure their security settings are up to date. Companies should conduct regular software updates to patch infrastructure vulnerabilities that could be creating cyber security loopholes.

Q is for Quick response. No organization wants to fall victim to successful cyber attacks. Working out the impact of the immediate damage, worrying about what is still to come, wanting to act, but knowing it’s probably too late. Having good perimeter defenses and effective controls are the foundation of good cyber security, but they are not a fail-safe. You also need to think about your response when there is an incident and who can help you when it is really needed.

R is for Risk management. Cyber is not just a technical problem—it is a risk that should be managed in a similar way to all other business risks. While it may not be possible to completely prevent risk, understanding how your organization functions around technology, from hardware and data to people and business processes, will help identify particular areas of weakness. As with all internal and external risks, this is something boards need to do as part of their overall risk strategy and not just assume their head of information technology has it handled.

S is for Supply chain risk. Even if you think your supply chain and systems are secure, cyber criminals might choose to attack you through third parties. In 2014, US retailer Target suffered a breach using network credentials stolen from a heating, ventilation and air conditioning vendor that compromised the data of more than 70 million customers, cost $18.5 million in settlements and led to the resignation of its chief executive officer.

T is for Tactics, techniques and procedures (TTPs). Tactics, techniques, and procedures are the “patterns of activities or methods associated with a specific threat actor or group of threat actors,” according to the Definitive Guide to Cyber Threat Intelligence. Penetration testing is designed to simulate TTPs used by hackers in order to strengthen security postures and ensure greater resilience to cyber threats.

U is for Updates. Also commonly referred to as patching, one of the key tenants of any cyber security arrangement is ensuring that you run software updates. The majority of cyber attacks make use of known software exploits for which updates are available. For example, if all United Kingdom national health service (NHS) trusts had conducted software updates when advised, most of the world would never have heard of WannaCry.

V is for Vulnerabilities. Vulnerabilities exist in almost every computer environment, including in software, hardware and their human operators. Hackers are adept at identifying them with increasing ingenuity, across every manner of system. We are seeing double-digit increases in overall system vulnerabilities, across every variant of device.

W is for WannaCry. On May 12, 2017, the WannaCry global ransomware attack hit, locking down more than 200,000 computers in over 100 countries. Although not a specific target, the NHS was the UK’s biggest victim. Some 19,000 patient appointments had to be cancelled, with five accident and emergency departments turning patients away until May 19, 2017, when the National Cyber Security Center and the National Crime Agency managed to halt the attack. It used a known exploit that the majority of NHS bodies had applied a patch against. No ransom was paid, but the government put the cost of WannaCry to the NHS at £92 million.

X is for XCyber. XCyber is a cyber security firm focused on the human side of cyber attacks. Formed by a team with more than 200 years of cyber experience and leadership in the British government, it has advised law enforcement, intelligence and security services across the globe on cyber security and defense. It produces intelligence-led, data-driven, and evidence-based reporting to provide insights organizations can use. Its proprietary intelligence platform, Tsunami Buoy, is a key component in our covert imminent breach system subscription.

Y is for Your future. Cyber security can be one of the greatest risks to a business anywhere in the world. This is due to the damage cyber attacks can cause to a company’s immediate business capability and its reputation. The extent of the damage may depend on the size of the breach, how quickly and effectively the company is perceived to have acted, the number of stakeholders affected, and the company’s preexisting reputation. Having all the protections and systems in place to prevent a breach and mitigate any fallout is crucial for the longevity of your company.

Z is for Zero-day. A zero-day vulnerability refers to a cyber security hole in software that is unknown to its maker or to anti-virus companies. This means the vulnerability is also not yet publicly known, though it may already be known by cyber criminals who are quietly exploiting the flaw. Zero-day refers to the fact that developers have zero days to fix the problem once the vulnerability does become publicly known, at which point they have to work quickly to fix the issue and protect users.

Third Librea is the head of the Advisory Services division of P&A Grant Thornton. P&A Grant Thornton is one of the leading audit, tax, advisory and outsourcing firms in the Philippines, with 23 partners and more than 900 staff members. We’d like to hear from you! Tweet us: @PAGrantThornton, like us on Facebook: P&A Grant Thornton, and email your comments to or For more information, visit our website:


As published in The Manila Times, dated 19 February 2020