200 Elgin Street, Suite 601
Ottawa, Ontario K2P 1L5
Tel: (613) 569-1158
Fax: (613) 569-4532


Why Should Cyber Security Risk Management Matter?


by Gillian Fawcett

print pdf

Photodune -19966212-cybercrime -through -the -internet -xl (2)You only have to look at recent events to see what damaging impact a cyber attack can have on organizations globally.

Most recently a global cyber attack crippled the National Health Service (NHS) in the United Kingdom, hit international shipper FedEx and infected computers in 150 countries. More than 300,000 computers were infected while the countries most affected by ransomware called 'WannaCry' were Russia, Taiwan, Ukraine and India, according to Avast, global security experts headquartered in Prague, Czech Republic.

Ransomware is often delivered via emails which trick the recipient into opening attachments and releasing malware onto their system in a technique known as phishing. Once a computer has been affected, it locks up the files and encrypts them in a way that you cannot access them anymore. It then demands payment in bitcoin in order to regain access. Security experts warn there is no or little guarantee that access to the files will be granted after payment. Some ransomware that encrypts files has been known to 'up the stakes' after a few days, demanding more money and threatening to delete files altogether.

In 2016, UK's Lincolnshire County Council north of London was hit with a computer ransomware attack. The ransomware attack encrypted data on the system and demanded a ransom for the files to be restored to normal. There was no guarantee that the files would be restored even if the ransom was paid. In the council's case, the hackers demanded £1m and shut down services for four days forcing staff to revert to pen and paper - no ransom was paid and their systems were eventually restored.

A hacker recently advertised more one than hundred million LinkedIn logins for sale. The information including email addresses and passwords, had been obtained from a breach four years earlier. LinkedIn, the professional network site often used to send work-related messages and to find career opportunities, includes information that its members would rather stay private. At the time, the business-focused social network reported that the accounts compromised had been reset. However, the information obtained could still be used to abet criminals, possibly to determine if subscribers had used the same IDs and passwords elsewhere.

Details of the login leak and sale were first reported by the news site, Motherboard. It reported that details were being advertised on at least two hacking-related sites. A total of 117 million encrypted passwords were included in a form that appeared to be relatively easy to reverse engineer. At the time of the breach, LinkedIn had about 165 million accounts. After the breach occurred, a file containing 6.5 million encrypted passwords was posted to an online forum in Russia.

Cybercrime is a disturbing trend. In 2016, IT Governance Ltd. (a provider of IT governance, risk management and compliance solutions, with a special focus on cyber resilience) estimated the theft of 3.1 billion records from various organizations around the world. According to Kroll's Global Fraud and Risk Report 2016 (published in 2017), an astounding 85% of executives surveyed admitted that their company had experienced a cyber attack or information theft, loss or attack in the last 12 months.

Whatever the type of attack, it is clear that the ultimate price could prove very costly for organizations of any type, size and sector; whether it is service downtime, a hefty fine from regulators and/or reputational damage or all of the above.

The truth is that all organizations, including those in the public sector, must consider cyber security an organizational risk and not simply something that sits with the IT department. To mitigate against this risk, it is essential that organizations raise their awareness level and commit to implementing a cyber-secure, risk-averse culture.

Cybercrime needs to be tackled head on across the globe. The National Cyber Security Centre (NCSC) became operational in October 2016 and is the authority on cyber security for the UK's public and private sectors. It published a 5-year strategy and investment plan of £1.9bn in defending systems and infrastructure to make organizations more confident, capable and resilient in a fast-moving digital world. The strategy is key to deterring adversaries and developing a 'whole society' capability from the largest companies to individual citizens.

The NCSC also set out '10 steps to cyber security' so that organizations can begin to protect their systems. The first recommended step is to embed a risk management regime, supported by the board and senior managers. The remaining nine steps outlined below then address associated security areas such as network security and incident management.

10 Steps

Click to enlarge

Cybercrime is a stark reminder that IT security must be optimal and properly resourced. Organizations should remain vigilant and seek to ensure that steps are introduced to minimize risks, such as those recommended by the NCSC. It is critical that appropriate risk management regimes across organizations with an empowered governance structure are implemented and actively supported by their board and senior managers. Cyber threats will continue to evolve and this is why organizations, governments around the world and the public must work together to reduce the threat.


Final .IMG_8185About the Author
Gillian Fawcett is Head of Governments Faculty for the Chartered Institute of Public Finance & Accountancy (CIPFA). She is responsible for leading a team of highly skilled finance policy specialists to develop the CIPFA thought leadership and support for finance professionals working within the global government sector.

Before joining CIPFA, Gillian was head of public sector at ACCA (the Association of Chartered Certified Accountants) and led its strategy and international technical policy for over a period of six years.  Prior to this position she was a senior fellow within the organisational development and policy team the Office for Public Management (OPM, UK), head of policy at the Audit Commission (UK) and head of finance of the Scrutiny Unit in the UK Parliament.  

She is a member of the Confederation of Asian and Pacific Accountants (CAPA) public sector committee and is a former member of the Federation of European Accountants (FEE) public sector committee from 2009 - 2015, and continues to act as treasurer and chair of the Finance Committee for a UK charity, Freedom from Torture.

In 2014 she was on the Editorial Board of the Guardian Public Leaders Network and the Editorial Board of the Financial Management and Accountability Journal. Also, she was formerly specialist advisor to a House of Commons Ad Hoc Committee and Communities and Local Government Parliamentary Select Committee on audit policy, as well as Vice Chair of the Macro Economic Committee for the European Centre of Employers and Enterprises providing Public Services (CEEP).