Identifying and Dealing with Cyber Risks

Security breaches to computer systems have consistently been a major drain on organizations, both private and public.

With technology constantly evolving and posing more threats, both internal and external, to the existence and functioning of the business, management need to be always on the guard of these computer threats or cyber attacks.

Failure to properly identify, evaluate, monitor and manage these ever-increasing cyber threats will result in the organization incurring huge costs.

As a starting point, organizations need to understand the source and nature of the threat. Is it an external of internal attack?

Examples of external threats include attacks by organized criminals and threats from terrorists. Examples of internal threats include turbulence in personnel through new hires, transfers and terminations.

Cyber risk management has now become one of the top concerns for organizations. Not only are organizations realizing the wide array of opportunities presented by recent developments in information technology.

They have also become aware of the huge threats posed by such developments.

The type of cyber attacks has also evolved over the years. For example, in the 1980s, email viruses were the most common form of attack, in the 1990s denial of service attacks took over, for example worms and trojans.

From the early 2000s network and infrastructure attacks such as bandwidth consumption and resource starvation or exploitation became common.

This development of new forms of attacks does not mean that the organization should turn a blind eye on early forms of attacks.

These still need to be managed and at the same time organizations need to be one step closer or ahead of the attackers.

In dealing with cyber risks, management should know the different categories of information technology risk. Having detailed knowledge of these risks will help devise appropriate tools and means of managing them.

The different categories include:

1. Malicious Codes and Programs: These pose a threat to everyone who uses the internet. Examples include Viruses, Worms, Trojan Horses and Logic/Time Bombs. Today, new viruses are targeting instant messaging, voice mail, mobile phones and other personal devices.

If these attacks are not properly managed, the impact on the organization can be destructive. For example, in October 2012, The “Shamoon” virus dubbed the most sophisticated of its kind attacked Saudi Arabia’s state oil company ARAMCO and Qatar’s natural gas firm, Rasgas.

Shamoon included a routine called a “wiper,” coded to self-execute, which replaced crucial system files with an image of a burning U.S. flag. It also overwrote all the real data on the machine with garbage.

More than 30,000 computers that it infected at ARAMCO were rendered useless, and had to be replaced. The scope and speed with which this happened was unprecedented.

What this means is that organizations must bolster their cyber defenses. Protection is available at the individual and system level, for example, use of anti-virus programs.

2. Malicious Hacking and Intrusion: This involves unauthorized penetration of the computer system for the legal purpose of obtaining illegal access to key information such as customer information, financial records, R&D information, employee records etc.

Can also involve denial of service attacks, for example, password sniffing to obtain access to bank or credit resources. Organizations should effectively monitor such activities and ensure proper controls are in place to reduce the extent of damage caused by such threats.

Failure to do so might result in corporate, industrial or government espionage or a business competitor defacing your website.

For example, an organization called the Syrian Electronic Army (SEA) has recently been targeting a number of western media organizations, including the Guardian, the BBC and al-Jazera.

The SEA recently attacked The Associated Press and breached its Twitter accounts. They sent bogus messages which wrecked havoc on stock exchanges worldwide.

The hackers tweeted that President Obama had been injured in a bomb attack at the White House, causing a temporary 143-point drop on the Dow Jones industrial average.

The same hackers have also lodged an attack on the Guardian by sending spoof emails to staff encouraging them to click on links that could compromise some of the company’s emails and social media accounts. The same could happen to your organization.

With a lot of information circulating on social media sites and the web, management need to know what exactly is being said out there with regards to the company’s products, services, channels, customers, management, or operations so that they can make sound decisions.

Research has shown that India is one of the top spammers. The country relays 9.3% of all spam.

Other notable spammers include USA 8.3%, South Korea 5.7%, Russia and Indonesia 5%, Italy 4.9%, Brazil 4.3%, Poland 3.9% and Pakistan 3.3%.

3. Fraud and Deception: This includes various forms of attacks in the form of spoofing, masquerading or salami attacks resulting in damage to privacy. There are also electronic forms of fraud such as phishing and credit card theft.

In order to combat fraud, organizations must initiate training programs that raise the awareness level of employees and users of computer systems and instill an understanding of the need for sound password practices and other protection policies.

4. Misuse and Sabotage: Involves misuse or vandalization of resources through unauthorized access, for example unauthorized software changes or downloads.

5. Errors and Omission: Software programmers are capable of making human errors when designing and developing software systems. Also involved in this category of risk is accidental or unintended destruction of files or data and routing or transmission errors.

6. Physical and Environmental Hazards: These can either be intentional or accidental threats. Fires, floods, earthquakes, or tsunamis can cause destruction to computer systems with sensitive information.

Theft by current and former employees of computers or storage facilities with sensitive information also poses high risk to the organization.

To avoid losing such important information, there must be proper and efficient back-up facilities to ensure business continuity.

Key sensitive information must be stored and locked in designated areas and only individuals with permission to such information should be allowed access at all times.

Their activities on the systems should also be regularly checked and monitored.

Since cyber risk management is about information security, preserving the organization’s information confidentiality, integrity and availability to ensure business continuity is therefore critical.

Organizations can adopt some or all of the following best practices for information security.

  • Use of firewalls, anti-virus, worm and trojan software to reduce virus vulnerability.
  • Make use of software updates by adopting patches issued by the software source. Software updates correct application vulnerabilities when they are detected.
  • Implement a password policy with a sound password structure and workability (the ability to remember).
  • Physical security including disaster recovery planning and physical protection in the form of locks to control access to critical system equipment.
  • Policy and training to create awareness of information systems security risks.
  • Secure remote connections and server lock down.
  • Make use of intrusion detection systems to monitor network traffic to seek matching bit patterns.
  • Conduct continuous security audits using testable metrics. Audits should identify lost productivity due to security failures and should include subsequent user awareness training.
  • Include security in business decision-making processes. For example, when pricing products or services, required funding for security measures need to be included in business cases.

As cyber activities continue to increase and more information gets splashed across the worldwide web, organizations must increase focus and enhance their cyber risk mitigation strategies.

Thanks for sharing:

One Reply to “Identifying and Dealing with Cyber Risks”

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get notified of new posts by email

Recent Posts

Categories

Finance Analytics: It’s Not About the Size of The Data

As the need to make impactful operational and strategic decisions in real time increases, CFOs are playing a greater role in the adoption and integration of data analytics in their organizations to support data-driven decision making.

Executives and business unit leaders are increasingly relying on insights produced by Finance to better understand enterprise performance. That is, what has happened, why it has happened, what is most likely to happen in the future, and the appropriate course of action to take.

In an era where data is proliferating in volume and variety, decision makers have realized it’s no longer enough to base key enterprise performance and risk decisions on experience and intuition alone.

Rather, this must be combined with a facts-based approach. Which means CFOs must set up modernized reporting and analytics capabilities with one of the main goals being the use of data as a tool for business decision making.

Appropriately analyzed and interpreted, data always has a story, and there’s always something to discover from it. However, many finance functions are failing to deliver value from their existing data analytics capabilities.

There is a misconception that to deliver actionable insights, the function needs more data for analysis. As a result, the supply of data keeps rising, while the ability to use it to generate informed insights lags badly.

Yet it’s not about the size of the data. It’s about translating available data and making it understandable and useful.

In other words, it’s about context and understanding that numbers alone do not tell the whole story. Finance leaders should connect the dots in ways that produce valuable insights or discoveries, and determine for example:

  • What is being measured, why, and how is it measured?
  • How extensive the exploration for such discoveries was?
  • How many additional factors were also reviewed for a correlation?

Further, to use data intelligently and influence better decision making, CFOs and their teams should recognize that most enterprise data is accumulated not to serve analytics, but as the by-product of routine tasks and activities.

Consider customer online and offline purchases data. Social media posts. Logs of customer communications for billing and other transactional purposes.

Such data is not produced for the purpose of prediction yet when analyzed, this data can reveal valuable insights that can be translated into action which delivers measurable benefits.

Often the company already has the data that it needs to answer its critical business performance questions, but little of it is being aggregated, cleaned, analyzed, and linked to decision making activities in a coherent way.

Exacerbating the issue is the mere fact that the company has a mishmash of incompatible computer systems and data formats added over the years ultimately making it difficult to perform granular analysis at a product, supplier, geographic, customer, and channel level, and many other variables.

There is nothing grand about data itself. What matters most is how you are handling the flood of data your systems are collecting daily. Yes, data can always be accumulated but as a finance leader:

  • Are you taking time to dig down into the data and observing patterns?
  • Are the observed patterns significant to altering the strategic direction of the organization?
  • Are you measuring what you really want to know, what matters for the success of the business?
  • Or you are just measuring what is easy to measure rather than what is most relevant?

CFOs do not need more data. What they need right now is the ability to aggregate, clean and analyze the existing data sitting in the company’s computer systems and understand what story it is telling them.

Before they can focus on prediction, they first need to observe what is happening and why. Bear in mind correlation does not imply causation.

Yes, you might have discovered a predictive relationship between X and Y but this does not mean one causes the other, not even indirectly.

For instance, employee training hours and sales revenue. Just because there is a high correlation between the two does not mean increase in training hours is causing a corresponding increase in sales revenue. A third variable might be driving the revenue the increase.

Jumping to conclusions too soon about causality for a correlation observed in data can lead to bad decisions and far-reaching consequences, hence finance leaders should validate whether an observed trend is real rather than misleading noise before providing any causal explanation.

Certainly, big data can be a powerful tool, but it has its limits. Not all data is created equal, or evenly valuable. There are situations where big data sets play a pivotal role, and others where small, rich data sets trump big data sets.

Before they decide to collect more data, CFOs should always remember data is comparable to an unexploited resource.

Even though data is now considered an important strategic asset for the organization, raw data is like oil that has been drilled and pulled out of the ground but not yet refined to its finer version of kerosene and gasoline.

The data oil has not yet been converted into insights that can be translated into action to cut costs, boost revenues, streamline operations, and guide the company’s strategic direction.

Thanks for sharing:

Doing The Right Thing For Too Long

Markets and business models are shifting, and so should you keep up with these market changes if your business is to survive and succeed. Compared with the past, the current era of digitization represents an inflection point.

Consider individual trends such as artificial intelligence, virtual reality, Big Data, cybersecurity threats, drones, the Internet of Things, driverless cars, blockchain technologies, and more.

These new technologies have significantly changed the way we connect and interact as individuals, including how businesses deliver products and services to their customers.

Reinventing your business will determine whether you succeed or fail in the digital age. As the saying goes, disrupt or be disrupted. No company, business, or industry is safe from disruption. Today, individual businesses have the potential to compete against multinational companies and win.

These businesses are quick to anticipate market changes and flexible to get ahead of the curve. Sadly, many companies are blinded by their successes and aren’t willing to disrupt themselves. They are not experiencing their desired growth trajectory because they are stuck doing the right thing for too long.

Don’t get comfortable with the status quo and allow your business to get stuck on a strategy and mindset that no longer fit the market.

Here are a few questions to ponder, the answers to which will determine the future of your business:

  • What is at the core of your strategy?
  • Are you in touch with the customers you want to serve? When customers give you negative feedback, how often do you listen and act on it?
  • Are you operating your business on the premise that you know what is best for your customers therefore they are supposed to buy whatever product or service you offer them?
  • Are you keeping up with market shifts or you only know how to grow under one set of conditions or products and services, but not how to survive and strive under another?
  • How robust and flexible is your IT infrastructure to help you innovate, perform your company’s Jobs To Be Done, and scale your business?
  • Are you creating a strong culture that is focused on customers, including a culture that not only embraces change but seeks it out?

Given our world is changing faster, it’s imperative to continuously look for signs that things are changing and think about how those shifts would play out in the short-term, medium-term, and long-term, not forgetting the impact on the execution of your strategy and enterprise performance.

The signs can reveal individually. At times, they are part of a wider trend.

Nonetheless, how you adapt will determine whether you succeed or fail. Keep learning. Learn about innovations in your industry and beyond. Try out new business models and technologies and embrace a philosophy of constant change.

Once you understand how the market is changing and evolving, you can develop the right product or service and strategy that will help you achieve your desired outcomes.

We often talk of the ability to “connect the dots” and “take a helicopter view of the business” as key ingredients for success. But how often are business leaders and their teams doing this?

Across the organization, a culture of “them versus us” prevails. Important decisions are made at a functional level with little or no consideration of their impact at the enterprise level.

Having the ability to grasp the big picture and see how different trends intersect is essential for determining the right path or course of action to pursue.

So, how do you spot market transitions and develop a clear sense of where the market is going?

  • Be curious and hungry for new ideas. Continuously ask tons of key performance questions and pay attention to what’s around you.
  • From time to time, challenge conventional wisdom. It’s easy to stick with what you know about your business model, customers, competitors, markets, or industry but dare to pivot when conditions change.
  • Don’t be nostalgic about the past or worried about protecting what you’ve built in the present. Always be curious about the future and develop a willingness to take calculated risks.
  • Ask existing and would-be customers how they feel about your company’s products, services, and strategy. Instead of turning to sources that reinforce your existing point of view, seek multiple perspectives and cross-reference them as new facts come in.
  • Develop an ability to handle multiple random data points at once. This will help you generate critical market, customer, and business performance insights and make smarter, informed decisions. Be careful to distinguish between the signal and the noise since data can be deceiving, especially when you’re looking for “confirmation” that protects your business model.

Data might not tell you why something is happening, but it does tell you what’s going on.

  • Look for patterns and abnormalities that might suggest something is going on, including any interdependencies.
  • Anticipate all the various scenarios of what could happen.
  • Plan your course of action in response to what’s happening in real time.

As the signals of a market shift increase, the need to act becomes more imperative. Note, monitoring and identifying market shifts, and effectively taking the appropriate course of action is a matter of timing.

If you continue doing the right thing for too long and lack the boldness to disrupt both the market and your own organization, you risk being disrupted and left behind. There is no company that is too big to fail. Neither is there a startup that is too small to succeed.

Thanks for sharing:

How Feasible Are Your Strategic Objectives?

Every organization sets out its goals and objectives, to accomplish its mission and vision. The two often seem like two interchangeable phrases but there is a distinction.

A goal is a desired result you want to achieve and is typically broad and vague. An objective, on the other hand, defines the specific, measurable actions each employee must take to achieve the overall goal.

It is every leader’s job to create a coherent set of feasible objectives or what Richard Rumelt calls proximate objectives. Objectives that define targets the organization is fairly expected to achieve, even overwhelm.

This is essential for ensuring energy and resources are focused on one, or a very few, critical objectives whose accomplishment will lead to a cascade of positive outcomes.

An effective strategy defines a critical challenge or opportunity and clearly articulates how the organization is going to play to win or perform customers’ Jobs to Be Done.

Thus, the objectives an effective strategy sets should stand a good chance of being accomplished, given existing resources and competence.

On the contrary, a bad strategy results in the setting of bad strategic objectives.

Long lists of “things to be done,” are often labeled wrongly as strategies or objectives. Or the desired outcome is simply rehashed with no explanation of how this will be accomplished.

It doesn’t matter how well-thought your strategy is in response to an identified challenge or opportunity. If the resultant strategic objectives are merely a list of things to do, or just as difficult to achieve as the identified key challenge, there has been little value added by the strategy.

In today’s highly competitive, uncertain, dynamic, and complex environment in which a leader’s ability to look further ahead is diminished, it is better to focus on a few pivotal items through taking strong positions, creating options, and building advantage.

First identify the key challenges or opportunities for the business. Look very closely at the changes happening within your business, where you might get an added advantage over competition.

Next, create a list of the issues, including the actions your company should take.

Then, trim the original list to a noticeably short list of pivotal issues and proximate objectives by identifying one or two feasible objective(s), when achieved, would make the biggest difference. Remember, the identified objectives should be more like tasks and less like goals.

Now, focus on the objectives by channeling skills and available resources to accomplish the overall goal.

Once accomplished, new opportunities will open up resulting in the creation of more ambitious objectives. This cycle will help you develop a system that enables the setting of feasible strategic objectives.

Thanks for sharing: