Why should cyber security risk management matter?

13-04-2017

You only have to look back over the last year to see what damaging impact a cyber-attack can have on an organisation.

In February 2016 Lincolnshire Council was hit with a computer ransomware attack. A ransomware attack will encrypt data on a system and demand a ransom for the files to be restored to normal. Though there is no guarantee that the files will be restored if the ransom is paid. In Lincolnshire Council’s case, the hackers demanded £1m and shut down services for four days forcing staff to revert to pen and paper – no ransom was paid and their systems were eventually restored.  

In May 2016 a hacker advertised more one hundred million LinkedIn logins for sale. The information including email addresses and passwords, had been obtained from a breach four years earlier.

Jumping forward to April 2017, Wonga has been the most recent victim of a data breach with up to 250,000 accounts being compromised.

A disturbing trend

These cases are unfortunately not infrequent.

In fact IT Governance estimated that in 2016, 3.1 billion records were leaked from various organisations around the world and according to Kroll’s Global Fraud and Risk Report 2016 (published 2017), an astounding 85% of surveyed executives said that their company experienced a cyber-attack or information theft, loss or attack in the last 12 months.

Whatever the type of attack, it is clear that the ultimate price could prove very costly for organisations of any type, size and sector; whether it is service down-time, a hefty fine from the Information Commissioner’s Office, reputational damage or all of the above.

The truth is that all organisations, including those in the public sector, must consider cyber security an organisational risk and not simply something that sits with the IT department. To mitigate against this risk, it is essential that organisations raise their awareness level and commit to implementing a cyber-security, risk adverse culture.

Tackling cyber fraud head-on

The government’s new National Cyber Security Centre (NCSC), the UK’s authority on cyber security, was launched in 2016. Its mandate, published in a five-year strategy, is to ‘make Britain confident, capable and resilient in a fast-moving digital world’.

Over the course of the five-year plan, the NCSC will invest £1.9bn in defending systems and infrastructure, deterring adversaries and developing a ‘whole society’ capability - from the biggest companies right down to the individual citizen.

Organisations can begin to protect their systems by following the NCSC’s ‘10 steps to cyber security’. The first recommended step is to embed a risk management regime, supported by the board and senior managers. The remaining nine steps then address associated security areas:

  1. Network security.
  2. User education and awareness.
  3. Malware prevention.
  4. Removable media controls.
  5. Secure configuration.
  6. Managing user privileges.
  7. Incident management.
  8. Monitoring.
  9. Home mobile and working.

The NCSC website features a wealth of additional guidance and resources.

Reporting cyber-crime

Individuals and organisations can report instances of cyber-crime (and fraud) to Action Fraud, the national fraud and cyber-crime reporting centre. For further information, please visit its website.

Additional support

The CIPFA Counter Fraud Centre is keen to ensure that the NCSC’s strategy makes a lasting difference so we’re hosting a one-day workshop on 26 March 2018.

It explores the importance of the strategy and what it means in practice for your organisation. You will gain a clear view of the threat landscape, helping you to create an action plan and the right organisational culture to ensure that your organisation is ‘cyber-ready’.

If your organisation subscribes to the Counter Fraud Centre, you can use any of your pre-paid places at this event.

The Open University also offers an Introduction to Cyber Security course.

It has been developed by The Open University with support from the UK government’s National Cyber Security Programme and can be accessed free of charge.