Why cyber security risk management should matter


By Gillian Fawcett, Head of the Governments Faculty, CIPFA

Recent attacks

You only have to look at recent events to see what damaging impact a cyber-attack can have on organisations globally. 

Most recently a global cyber-attack using hacking tools crippled the National Health Service (NHS) in the United Kingdom, hit international shipper FedEx and infected computers in 150 countries. More than 300,000 computers were infected while the countries most affected by ransomware called ‘WannaCry’ were Russia, Taiwan, Ukraine and India, according to Czech security firm Avast. 


Ransomware is often delivered via emails which trick the recipient into opening attachments and releasing malware onto their system in a technique known as phishing. Once a computer has been affected, it locks up the files and encrypts them in a way that you cannot access them anymore. It then demands payment in bitcoin in order to regain access. Security experts warn there is no or little guarantee that access to the files will be granted after payment. Some ransomware that encrypts files has been known to ‘up the stakes’ after a few days, demanding more money and threatening to delete files altogether.

In 2016 a large local council in the UK was hit with a computer ransomware attack. The ransomware attack encrypted data on the system and demanded a ransom for the files to be restored to normal. There was no guarantee that the files would be restored even if the ransom was paid. In the council’s case, the hackers demanded £1m and shut down services for four days forcing staff to revert to pen and paper – no ransom was paid and their systems were eventually restored.  

A hacker recently advertised more one than hundred million LinkedIn logins for sale. The information including email addresses and passwords, had been obtained from a breach four years earlier. LinkedIn is the professional network site often used to send work-related messages and to find career opportunities – it includes information that its members would want to stay private. The IDs were reportedly sourced from the first breach and at the time, the business-focused social network said it had reset the accounts of those it thought had been compromised. The leak meant that criminals could make use of this information or see if its subscribers had used the same passwords elsewhere.

Details of the login leak and sale were first reported by the news site Motherboard. It said the details were being advertised on at least two hacking-related sites. A total of 117 million passwords were included. The passcodes were encoded, but in a form that appeared to have been relatively easy to reverse-engineer. LinkedIn had about 165 million accounts at the time of the breach. After the breach first occurred, a file containing 6.5 million encrypted passwords was posted to an online forum in Russia. 


Cyber crime is a disturbing trend. In fact, IT Governance (a provider of IT governance, risk management and compliance solutions, with a special focus on cyber resilience) estimated that in 2016, 3.1 billion records were leaked from various organisations around the world and according to Kroll’s Global Fraud and Risk Report 2016 (published 2017), an astounding 85% of surveyed executives said that their company experienced a cyber-attack or information theft, loss or attack in the last 12 months.

Whatever the type of attack, it is clear that the ultimate price could prove very costly for organisations of any type, size and sector; whether it is service down-time, a hefty fine from regulators and/or reputation damage or all of the above. 

Cyber security

The truth is that all organisations, including those in the public sector, must consider cyber security an organisational risk and not simply something that sits with the IT department. To mitigate against this risk, it is essential that organisations raise their awareness level and commit to implementing a cyber-security, risk adverse culture.  

Cyber crime needs to be tackled head on across the globe. The government’s approach in the UK was to introduce a National Cyber Security Centre (NCSC), the authority on cyber security. It published a five-year strategy and investment plan of £1.9bn in defending systems and infrastructure to make organisations more confident, capable and resilient in a fast-moving digital world. 

The strategy is key to deterring adversaries and developing a ‘whole society’ capability – from the biggest companies’ right down to the individual citizen. 

The NCSC also set out ‘10 steps to cyber security’ so that organisations can begin to protect their systems. The first recommended step is to embed a risk management regime, supported by the board and senior managers. The remaining nine steps outlined in the linked government website above then address associated security areas such as network security and incident management.


Cyber crime is a stark reminder that IT security must be optimal and properly resourced. Organisations should remain vigilant and seek to ensure the steps are introduced to minimise the risks, such as those recommended by the NCSC. It is critical that appropriate risk management regimes across organisations with an empowered governance structure are implemented and actively supported by boards and senior managers. Cyber threats will continue to evolve and this is why organisations, governments around the world and the public must work together to reduce the threat.