Security breaches to computer systems have consistently been a major drain on organizations, both private and public. With technology constantly evolving and posing more threats, both internal and external, to the existence and functioning of the business, management need to be always on the guard of these computer threats or cyber attacks.
Failure to properly identify, evaluate, monitor and manage these ever-increasing cyber threats will result in the orgnization incurring huge costs. As a starting point, organizations need to understand the source and nature of the threat. Is it an external of internal attack? Examples of external threats include attacks by organized criminals and threats from terrorists. Examples of internal threats include turbulence in personnel through new hires, transfers and terminations.
Cyber risk management has now become one of the top concerns for organizations. Not only are organizations realising the wide array of opportunities presented by recent developments in information technology. They have also become aware of the huge threats posed by such developments.
The type of cyber attacks has also evolved over the years. For example, in the 1980s, email viruses were the most common form of attack, in the 1990s denial of service attacks took over, for example worms and trojans. From the early 2000s network and infrastructure attacks such as bandwidth consumption and resource starvation or exploitation became common.
This development of new forms of attacks does not mean that the organization should turn a blind eye on early forms of attacks. These still need to be managed and at the same time organizations need to be one step closer or ahead of the attackers.
In dealing with cyber risks, management should know the different categories of information technology risk. Having detailed knowledge of these risks will help devise appropriate tools and means of managing them. The different categories include:
1. Malicious Codes and Programs: These pose a threat to everyone who uses the internet. Examples include Viruses, Worms, Trojan Horses and Logic/Time Bombs. Today, new viruses are targeting instant messaging, voice mail, mobile phones and other personal devices. If these attacks are not properly managed, the impact on the organization can be destructive. For example, in October 2012, The “Shamoon” virus dubbed the most sophisticated of its kind attacked Saudi Arabia’s state oil company ARAMCO and Qatar’s natural gas firm, Rasgas.
Shamoon included a routine called a “wiper,” coded to self-execute, which replaced crucial system files with an image of a burning U.S. flag. It also overwrote all the real data on the machine with garbage. More than 30,000 computers that it infected at ARAMCO were rendered useless, and had to be replaced. The scope and speed with which this happened was unprecedented. What this means is that organizations must bolster their cyber defenses. Protection is available at the individual and system level, for example, use of anti-virus programs.
2. Malicious Hacking and Intrusion: This involves unauthorized penetration of the computer system for the legal purpose of obtaining illegal access to key information such as customer information, financial records, R&D information, employee records etc. Can also involve denial of service attacks, for example, password sniffing to obtain access to bank or credit resources. Organizations should effectively monitor such activities and ensure proper controls are in place to reduce the extent of damage caused by such threats.
Failure to do so might result in corporate, industrial or government espionage or a business competitor defacing your website. For example, an organization called the Syrian Electronic Army (SEA) has recently been targeting a number of western media organizations, including the Guardian, the BBC and al-Jazera.
The SEA recently attacked The Associated Press and breached its Twitter accounts. They sent bogus messages which wrecked havoc on stock exchanges worldwide. The hackers tweeted that President Obama had been injured in a bomb attack at the White House, causing a temporary 143-point drop on the Dow Jones industrial average.
The same hackers have also lodged an attack on the Guardian by sending spoof emails to staff encouraging them to click on links that could compromise some of the company’s emails and social media accounts.
The same could happen to your organization. With a lot of information circulating on social media sites and the web, management need to know what exactly is being said out there with regards to the company’s products, services, channels, customers, management, operations etc so that they can make sound decisions. Research has shown that India is one of the top spammers. The country relays 9.3% of all spam. Other notable spammers include USA 8.3%, South Korea 5.7%, Russia and Indonesia 5%, Italy 4.9%, Brazil 4.3%, Poland 3.9% and Pakistan 3.3%.
3. Fraud and Deception: This includes various forms of attacks in the form of spoofing, masquerading or salami attacks resulting in damage to privacy. There are also electronic forms of fraud such as phishing and credit card theft. In order to combat fraud, organizations must initiate training programs that raise the awareness level of employees and users of computer systems and instill an understanding of the need for sound password practices and other protection policies.
4. Misuse and Sabotage: Involves misuse or vandalization of resources through unauthorised access, for example unauthorised software changes or downloads.
5. Errors and Omission: Software programmers are capable of making human errors when designing and developing software systems. Also involved in this category of risk is accidental or unintended destruction of files or data and routing or transmission errors.
6. Physical and Environmental Hazards: These can either be intentional or accidental threats. Fires, floods, earthquakes, tsunamis etc can cause destruction to computer systems with sensitive information. Theft by current and former employees of computers or storage facilities with sensitive information also poses high risk to the organization.
To avoid losing such important information, there must be proper and efficient back-up facilities to ensure business continuity. Key sensitive information must be stored and locked in designated areas and only individuals with permission to such information should be allowed access at all times. Their activities on the systems should also be regularly checked and monitored.
Since cyber risk management is about information security; preserving the organization’s information confidentiality, integrity and availability to ensure business continuity, comply with legal requirements and gain competitive edge through use of knowledge to make effective decisions, organizations can adopt some or all of the following best practices for information security.
- Use of firewalls, anti-virus, worm and trojan software to reduce virus vulnerability.
- Make use of software updates by adopting patches issued by the software source. Software updates correct application vulnerabilities when they are detected.
- Implement a password policy with a sound password structure and workability (the ability to remember).
- Physical security including disaster recovery planning and physical protection in the form of locks to control access to critical system equipment.
- Policy and training to create awareness of information systems security risks.
- Secure remote connections and server lock down.
- Make use of intrusion detection systems to monitor network traffic to seek matching bit patterns.
- Conduct continuous security audits using testable metrics. Audits should identify lost productivity due to security failures and should include subsequent user awareness training.
- Include security in business decision-making processes. For example, when pricing products or services, required funding for security measures need to be included in business cases.
As cyber activities continue to increase and more information gets splashed across the worldwide web, organizations must increase focus and enhance their cyber risk mitigation strategies.