Why Should Cyber Security Risk Management Matter?
You only have to look
at recent events to see what damaging impact a cyber attack can
have on organizations globally.
Most recently a global cyber attack
crippled the National Health Service (NHS) in the United Kingdom,
hit international shipper FedEx and infected computers in 150
countries. More than 300,000 computers were infected while the
countries most affected by ransomware called 'WannaCry' were
Russia, Taiwan, Ukraine and India, according to Avast, global
security experts headquartered in Prague, Czech Republic.
Ransomware is often delivered via
emails which trick the recipient into opening attachments and
releasing malware onto their system in a technique known as
phishing. Once a computer has been affected, it locks up the files
and encrypts them in a way that you cannot access them anymore. It
then demands payment in bitcoin in order to regain access. Security
experts warn there is no or little guarantee that access to the
files will be granted after payment. Some ransomware that encrypts
files has been known to 'up the stakes' after a few days, demanding
more money and threatening to delete files altogether.
In 2016, UK's Lincolnshire County
Council north of London was hit with a computer ransomware attack.
The ransomware attack encrypted data on the system and demanded a
ransom for the files to be restored to normal. There was no
guarantee that the files would be restored even if the ransom was
paid. In the council's case, the hackers demanded £1m and shut down
services for four days forcing staff to revert to pen and paper -
no ransom was paid and their systems were eventually restored.
A hacker recently advertised more
one than hundred million LinkedIn logins for sale. The information
including email addresses and passwords, had been obtained from a
breach four years earlier. LinkedIn, the professional network site
often used to send work-related messages and to find career
opportunities, includes information that its members would rather
stay private. At the time, the business-focused social network
reported that the accounts compromised had been reset. However, the
information obtained could still be used to abet criminals,
possibly to determine if subscribers had used the same IDs and
Details of the login leak and sale
were first reported by the news site, Motherboard. It reported that
details were being advertised on at least two hacking-related
sites. A total of 117 million encrypted passwords were included in
a form that appeared to be relatively easy to reverse engineer. At
the time of the breach, LinkedIn had about 165 million accounts.
After the breach occurred, a file containing 6.5 million encrypted
passwords was posted to an online forum in Russia.
Cybercrime is a disturbing trend.
In 2016, IT Governance Ltd. (a provider of IT governance, risk
management and compliance solutions, with a special focus on cyber
resilience) estimated the theft of 3.1 billion records from various
organizations around the world. According to Kroll's Global Fraud
and Risk Report 2016 (published in 2017), an astounding 85% of
executives surveyed admitted that their company had experienced a
cyber attack or information theft, loss or attack in the last 12
Whatever the type of attack, it is
clear that the ultimate price could prove very costly for
organizations of any type, size and sector; whether it is service
downtime, a hefty fine from regulators and/or reputational damage
or all of the above.
The truth is that all
organizations, including those in the public sector, must consider
cyber security an organizational risk and not simply something that
sits with the IT department. To mitigate against this risk, it is
essential that organizations raise their awareness level and commit
to implementing a cyber-secure, risk-averse culture.
Cybercrime needs to be tackled head
on across the globe. The National Cyber Security Centre (NCSC)
became operational in October 2016 and is the authority on cyber
security for the UK's public and private sectors. It published a
5-year strategy and investment plan of £1.9bn in defending systems
and infrastructure to make organizations more confident, capable
and resilient in a fast-moving digital world. The strategy is key
to deterring adversaries and developing a 'whole society'
capability from the largest companies to individual citizens.
The NCSC also set out '10 steps to
cyber security' so that organizations can begin to protect their
systems. The first recommended step is to embed a risk management
regime, supported by the board and senior managers. The remaining
nine steps outlined below then address associated security areas
such as network security and incident management.
Cybercrime is a stark reminder that
IT security must be optimal and properly resourced. Organizations
should remain vigilant and seek to ensure that steps are introduced
to minimize risks, such as those recommended by the NCSC. It is
critical that appropriate risk management regimes across
organizations with an empowered governance structure are
implemented and actively supported by their board and senior
managers. Cyber threats will continue to evolve and this is why
organizations, governments around the world and the public must
work together to reduce the threat.
Gillian Fawcett is Head of Governments Faculty for the
Chartered Institute of Public Finance & Accountancy (CIPFA).
She is responsible for leading a team of highly skilled finance
policy specialists to develop the CIPFA thought leadership and
support for finance professionals working within the global
Before joining CIPFA, Gillian was
head of public sector at ACCA (the Association of Chartered
Certified Accountants) and led its strategy and international
technical policy for over a period of six years. Prior to
this position she was a senior fellow within the organisational
development and policy team the Office for Public Management (OPM,
UK), head of policy at the Audit Commission (UK) and head of
finance of the Scrutiny Unit in the UK Parliament.
She is a member of the
Confederation of Asian and Pacific Accountants (CAPA) public sector
committee and is a former member of the Federation of European
Accountants (FEE) public sector committee from 2009 - 2015, and
continues to act as treasurer and chair of the Finance Committee
for a UK charity, Freedom from Torture.
In 2014 she was on the Editorial
Board of the Guardian Public Leaders Network and the Editorial
Board of the Financial Management and Accountability Journal. Also,
she was formerly specialist advisor to a House of Commons Ad Hoc
Committee and Communities and Local Government Parliamentary Select
Committee on audit policy, as well as Vice Chair of the Macro
Economic Committee for the European Centre of Employers and
Enterprises providing Public Services (CEEP).
© FINANCIAL MANAGEMENT INSTITUTE OF CANADA 2017. ALL RIGHTS