How To Protect Your Business From A Cyber Attack



Similar documents
Who s next after TalkTalk?

Cybercrime: risks, penalties and prevention

The UK cyber security strategy: Landscape review. Cross-government

Assessing the strength of your security operating model

Mitigating and managing cyber risk: ten issues to consider

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Cyber security Building confidence in your digital future

Small businesses: What you need to know about cyber security

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

Small businesses: What you need to know about cyber security

Cedric Leighton, Colonel, USAF (Ret) Founder & President, Cedric Leighton Associates

Cyber Security for audit committees

Cyber, Social Media and IT Risks. David Canham (BA) Hons, MIRM

WHAT EVERY CEO, CIO AND CFO NEEDS TO KNOW ABOUT CYBER SECURITY.

Maritime Insurance Cyber Security Framing the Exposure. Tony Cowie May 2015

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

Nine Steps to Smart Security for Small Businesses

How To Cover A Data Breach In The European Market

PCL2\ \1 CYBER RISKS: RISK MANAGEMENT STRATEGIES

CYBER SECURITY Audit, Test & Compliance

THE HUMAN COMPONENT OF CYBER SECURITY

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Demystifying Cyber Insurance. Jamie Monck-Mason & Andrew Hill. Introduction. What is cyber? Nomenclature

Cyber Security - What Would a Breach Really Mean for your Business?

Cyber security Building confidence in your digital future

Knowing Your Enemy How Your Business is Attacked. Andrew Rogoyski June 2014

Agenda. Introduction to SCADA. Importance of SCADA security. Recommended steps

Cyber Risks and Insurance Solutions Malaysia, November 2013

Insurance implications for Cyber Threats

How do we Police Cyber Crime?

Cyber Risk Management

September 20, 2013 Senior IT Examiner Gene Lilienthal

Cyber Security Strategy

Tackling the growing risk of cyber crime

Energy Cybersecurity Regulatory Brief

Cyber Security. CYBER SECURITY presents a major challenge for businesses of all shapes and sizes. Leaders ignore it at their peril.

SIEM is only as good as the data it consumes

Into the cybersecurity breach

How-To Guide: Cyber Security. Content Provided by

A New Layer of Security to Protect Critical Infrastructure from Advanced Cyber Attacks. Alex Leemon, Sr. Manager

Addressing Cyber Risk Building robust cyber governance

Cyber Security & Cyber Criminality: ~ The Facts ~ - Sgt Phil Cobley

ACE European Risk Briefing 2012

POLICIES TO MITIGATE CYBER RISK

Cyber security and critical national infrastructure

PDSA Special Report. Is your Company s Security at Risk

The Business Case for Information Security. White Paper

Managing cyber risks with insurance

National Cyber Crime Unit

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Managing Cyber Risk through Insurance

Cyber Risk & Insurance

10Minutes. on the stark realities of cybersecurity. The Cyber Savvy CEO. A changed business environment demands a new approach:

Enterprise Security Governance. Robert Coles Chief Information Security Officer and Global Head of Digital Risk & Security

REPORT. Next steps in cyber security

The internet and digital technologies play an integral part

The Cyber Threat Profiler

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Cyber Security: Threat & The Maritime Environment Cyber Security: now byting the maritime industry

How Secure is Your SCADA System?

cyberr by e-management The Leader in Cybersecurity Risk Intelligence (RI) Cybersecurity Risk: What You Don t Know CAN Hurt You!

CYBER RISK SECURITY, NETWORK & PRIVACY

The Recover Report. It s business. But it s personal.

Sytorus Information Security Assessment Overview

Managing cyber risk the global banking perspective

Cyber Security, a theme for the boardroom

3 Marketing Security Risks. How to combat the threats to the security of your Marketing Database

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

S. ll IN THE SENATE OF THE UNITED STATES

CYBER SECURITY. ADVISORY SERVICES Governance Risk & Compliance. Shemrick Rodney IT Specialist Consultant Antigua & St. Kitts

The Danish Cyber and Information Security Strategy

Cyber Security Strategies for the Small Business Market

The Impact of Cybercrime on Business

Unit 3 Cyber security

COUNTERINTELLIGENCE. Protecting Key Assets: A Corporate Counterintelligence Guide

MEASURES TO ENHANCE MARITIME SECURITY. Industry guidelines on cyber security on board ships. Submitted by ICS, BIMCO, INTERTANKO and INTERCARGO

Transcription:

Intelligence FIRST helping your business make better decisions Cyber security Keeping your business resilient Cyber security is about keeping your business resilient in the modern technological age. It is about meeting the threat posed by a range of attacks perpetrated using the same online networks that are critical to the way we interact and do business. It is about how you deal with this particular risk to your organisation, and centres on corporate culture and behaviour not just technology. Cyber attacks are now endemic, but this doesn t mean your organisation is powerless. By being cyber secure you can take steps to protect what is valuable to your organisation, in terms of assets and reputation. This CBI Intelligence FIRST guide sets out why cyber security should be prominent in board discussions right now. Inside Page 3 Why cyber security matters to your business Page 4 What exactly is under threat? Page 5 How to become cyber secure Page 9 Actions for the board Don t give this to your CIO until you ve read it first March 2013

CBI Intelligence FIRST cyber security 3 Why cyber security matters to your business Changes to the way we do business have increased the risk Most companies now operate cross-border and have a strong presence in international markets. They have widely dispersed supply chains, operating multiple customer channels. And there has been a major shift in the way that we routinely share and store data, with a big emphasis on mobile working. The risk profile is changing Cyber attacks are now endemic, with over 90% of large companies likely to have suffered a breach in the year 2011-2012. Some reports estimate that global companies are suffering 15,000 attacks a day, reaching ten times that for organisations such as a large global bank. (Sources: PwC Info Sec survey 2012/Financial Times, 24 January 2013) but complacency is threatening many businesses A BAE Systems Detica survey found that 61% of companies stated that it would take a cyber-attack on them or a competitor for their boards to properly address the risk: that s clearly too late. (Source: BAE Systems Detica 2012 Cyber Security Monitor) A cyber attack can have a major impact on investors, supply chains and customers. It can result in: Monetary theft by accessing financial systems Hackers accessing your systems to steal trade secrets or valuable intellectual property (IP) Business interruption by shutting down critical systems Loss of customer, employee or other commercially sensitive data Damage to brand through loss of customer trust or a malicious attack. Helpful analysis from the World Economic Forum shows that cyber attacks became the fourth most likely global risk in 2012 Cyber attacks as one of five headline global risks 4.03 Severe income disparity 4.03 Chronic fiscal imbalances 3.88 Rising greenhouse gas emissions 3.80 Cyber attacks 3.79 Water supply crises 1 2 3 4 5 Very unlikely Almost certain Source: World Economic Forum

4 CBI Intelligence FIRST cyber security What is exactly under threat? If cyber attacks are a likely risk, what about their impact? The cost to businesses in the UK of cyber attacks has been calculated at around 21bn annually. (Source: The cost of cyber crime, Detica and the Cabinet Office) These breaches take a range of forms and the risk to your organisation may include threats to the following: The brand Valuables Systems Who are the hackers? It could be a range of actors including rival organisations, criminal gangs who have targeted public services in the past, or professional/state-sponsored hackers based in areas such as the former Soviet Union. Malicious codes or malware can be used to disrupt consumer-facing services. Example: a code injection hack on the operating system of a leading entertainment firm in the spring of 2011. The resulting cost was estimated to be in the region of $138m. Online malware can be used to steal trade secrets, valuable data or sensitive information with commercial implications. Example: The use of a virus called the Backdoor Trojan in 2011 to target the R&D and manufacturing data of 50 chemical and defence firms. Cyber attacks can also shut down the provision of crucial services through critical national infrastructure (CNI). Example: The oil firm Saudi Aramco was attacked in August 2012 by hackers, forcing the shut down of 30,000 workstations.

CBI Intelligence FIRST cyber security 5 It s time to become cyber secure: here s how to do it Treat it as a regular business risk: embed it as part of your on-going risk management activity. Get your governance structure right: You need to ensure that you have a designated member of staff or a risk team in place that is responsible and accountable for the risk of cyber attack alongside all other concerns on your risk register. Ensure your designated lead member of staff or risk team continually undertakes three critical tasks and keeps reporting back to the board: this is about making sure you can respond to the threat of cyber attack in a dynamic way. Three steps for your team: 1 Identify what is valuable to your organisation and assess the risk. The boards of all companies should consider the vulnerability of their own company to these risks as part of their normal corporate governance and they should require their key advisers and suppliers to do the same Jonathan Evans, head of MI5 Mansion House speech, June 2012 2 3 Ensure your internal processes around staff behaviour are adequate. Make sure your technology and software is properly robust and up to date. Let s look at these in more detail

6 CBI Intelligence FIRST cyber security 1 Identify what s valuable to your organisation and assess the risk The central question to ask here is cyber attacks are a risk to what? or what is properly valuable to the critical operations of this company? We are not just talking about information per se, but about all forms of data that are fundamental to the company s business model including datasets used for HR purposes, client services, product development and business planning. Your team will then be in a position to do the following: Identify what s valuable to the organisation and gauge whether there are any existing threats to be aware of (presenting this as part of a risk assessment exercise at the board meeting). Answer the question what is the figure that we could not stand to lose? This will help give you an awareness of value by quantifying what you could lose through inaction. It will also equip you to consider and justify the opportunity cost of allotting time and resources to mitigate the threat. Identify who currently has access to what kinds of data, trade secrets or valuable systems within the organisation and why this is the case: don t discount the possibility for internal doors to be left open either accidentally or even intentionally by staff or consultants. Last year for example, an Austrian-based employee of the Massachusetts wind-energy company American Superconductor stole intellectual property from the firm and sold it to the Chinese wind turbine manufacturer Sinovel for $1.5m (New York Times, 14 February 2012). 2

CBI Intelligence FIRST cyber security 7 2 Ensure your internal processes around staff behaviour are adequate Get the basics right Around 80% of the risk of cyber attack to your organisation can be mitigated through getting the basics right. 1 This means keeping security in mind when designing policies and processes for: Flexible working arrangements Bring your own device /the sharing of information via personal as well as professional devices User privileges: make sure access requirements and passwords for sensitive data are robust and secure. Influencing human behaviour and initiating a culture change from the top is vital With four out of ten people now using smartphones, 2 strict safety policies together with examples of good practice on the use of work information need to be evident from board members down. There s always scope to be innovative On passwords, for example, recent survey research from Microsoft confirms the obvious point that alphabetical passwords are either so easy to remember that they are frequently guessable or so difficult that they are rarely remembered. Many companies are therefore beginning to experiment with new forms of password security using pictorial and graphical prompts. Keeping staff educated is a key means of ensuring your firm is cyber secure Human error can lead to unforseen consequences cyber attackers are able to enter networks through planted USBs and other simple means. Employee awareness of the issues around cyber security is of vital importance and so a sense check of what employees know already is a useful step to continually repeat. 1 GCHQ estimate 2 OFCOM estimate

8 CBI Intelligence FIRST cyber security 3 Make sure your technology and software is properly up to date With online networks so central to our everyday activities, dealing with the threat of cyber attack means accepting this as an endemic risk and finding a way to manage it. But don t waste time trying to become the next Fort Knox. Cyber security requires up-to-date software with the right safety mechanisms to guard your company valuables or the critical networks your business operates. Additionally, it requires software that can help monitor and detect potential threats, with backup systems to ensure continued delivery for consumers and investors in the event of a cyber breach. If your risk team finds your existing systems are inadequate, investment in improvements may be necessary to protect your company valuables. Investment should be weighed against the valuation of the things you can t afford to lose. Advice on how to ensure your organisation s software systems are secure and crucially on how to adapt in the event of a cyber attack, is available from external consultancies together with computer emergency response teams (CERTs), which provide real-time data and information about how to respond to constantly evolving cyber threats. Becoming cyber secure means constantly adapting to developments in technology. With changes to the way we store commercially sensitive information, such as in the cloud, make sure your team knows the location of the server which holds your data (in terms of jurisdiction), and whether your data is secure. 3

CBI Intelligence FIRST cyber security 9 The crucial slide: actions for the board to cover in a meeting With these issues accounted for, make sure you address all angles by covering the following points in your board meeting: Consider 1 a risk assessment Do a fly-past exercise to determine the company s current state of health and your existing policies. Identify what data, information, or systems are valuable to your company operations. Make sure you get an accurate 23 assessment of what the risk to these valuables might be and gauge whether your risk team is aware of existing threats. Turn your attention to risk management Consider the crucial cost/benefit decisions to invest in improvements to internal networks. Decide whether any outside help or investment is required to strengthen your software mechanisms, your ability to detect threats, or for programmes such as staff training. Focus on resilience to protect your reputation Make sure you are prepared for the possibility of a cyber attack by having a contingency plan which ensures you can continue to deliver products and services. This will mean your ability to deliver for the people who matter is not damaged.

10 CBI Intelligence FIRST cyber security Learn more about cyber security The CBI s range of activity includes: Liaising with the UK government to convey industry s broad view of cyber security including messaging for the board and mechanisms for reporting attacks Monitoring regulatory developments in the EU, including the EU s cyber security strategy, which could impose new reporting requirements on businesses Raising the profile of cyber security in business through articles, speeches and roundtable events. Other important sources of information: Ten steps to cyber security guidance released by the UK government in September 2012: http://www.bis.gov.uk/assets/biscore/business-sectors/ docs/0-9/12-1120-10-steps-to-cyber-security-executive.pdf Pathways to global cyber resilience document from the World Economic Forum: http://www3.weforum.org/docs/wef_it_ PathwaysToGlobalCyberResilience_Report_2012.pdf For more information please contact James Nation email: james.nation@cbi.org.uk tel: 0207 395 8121

CBI Intelligence FIRST cyber security 11 >>>>>>>>>>>> Secure your networks and critical information, secure your reputation and your future success <<<<<<<<<<<<

Intelligence FIRST Intelligence FIRST brings together: The CBI s inside knowledge of up-coming changes in legislation and regulation Informed CBI commentary and analysis on significant public policy and other major developments Critical and timely economic and business trend assessments. If you have concerns about: How your business should prepare for major changes in legislation and regulation Where the economy is headed and how it will impact on your sector What the long-term legacies of the credit crunch and recession will be across the business landscape What you need to know for your business to manage the transition to a low-carbon economy Intelligence FIRST is here to help. Your account manager will keep you in touch as new Intelligence FIRST guides become available. Product code CAG_ENT_365

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information