CyberCrime. Regulators around the world are warning organisations that it is no longer a question of whether your organisation becomes a victim of cybercrime, it is only a matter of when.
It is one of the biggest risks facing any organisation, of any size, in any industry or public sector. For many organisations it is nothing less than an existential risk; a significant data breach or criminally-induced failure of its IT system can have catastrophic impact, to the point of threatening the organisation’s survival.
CyberSecurity is an arms-race. As organisations implement new measures to resist the criminals’ efforts they find new ways to penetrate or circumvent those measures, or find organisations whose defences are not up to date. Management cannot afford to be complacent; the fight against CyberCrime can never be won.
CyberCrime is defined as any crime that is carried out using a computer or the internet. It is an umbrella term for a wide range of criminal activity including:
It is also important to understand that CyberCrime is not just about money. CyberCriminals can be motivated by spite (such as disgruntled employees), or by a political / terrorist agenda, or even out of simple curiosity or an attempt to show off to peers. The expansion of the internet beyond computers and mobile phones into other cyber-physical or ‘smart’ systems (including the ‘internet of things’) is also extending the threat of remote exploitation to a whole host of new technologies.
The key things to ensure you have in place are Culture, Training, Governance and Incident Planning.
In order to detect and block identity fraud organisations should implement a holistic, layered approach which bridges the gap between online identities and the people behind them. This layered solution should start with checking a consumer’s identity against physical documents or lists of data, then as the relationship with the consumer develops, using dynamic, digital identity intelligence to understand whether a consumer’s online behaviour is consistent with what might be expected, and consistent with their account history.
It is also crucial to ensure that any CyberSecurity arrangements implemented by the organisation are mirrored by any third party supplier to that organisation, and any supplier to the third party, all the way down the supply chain.
CyberSecurity is fundamentally a cultural challenge; the best control systems and processes available cannot compensate for a culture in which colleagues do not take CyberSecurity seriously and do not understand their personal obligations. Any organisation’s cybersecurity control system depends on the people within the organisation to implement it; to understand the policies and procedures and to follow them. This requires a culture that encourages and ensures understanding and compliance.
Getting a culture right is a challenge of leadership. Leadership means more than just management. For larger organisations creating a desired culture is a significant and ongoing challenge. It is easy for a desired culture to quickly dissipate, to be replaced by something else. The steps an organisation can take to create a desired culture don’t just happen by accident; a good culture is created by information and actions that are aimed at sending a clear message along the lines of “this is how we do things around here, this is what we stand for, this is what we see as important”.
As part of an induction process for new colleagues at all levels (regardless of seniority) you should ensure that everyone is aware of the common CyberCrime approaches such as phishing, hacking and social engineering.
Use free resources such as posters and put them around the office / building. This will encourage staff to think security at all times.
Even small organisations should have easily accessed arrangements in which staff can report concerns relating to security matters. Ensure everyone understands the importance of reporting unusual activities to management and colleagues, no matter how trivial.
Remember that customers need to be aware too. All new account material should draw the customer’s attention to these risks, and explain that the organisation will never ask for the customer’s security details such as whole passwords and card PINs. Ensure that the risk warnings to customers are in plain language, easy to understand, prominent, and refreshed from time to time.
The risk of CyberCrime is one of many risks facing the organisation. All organisations of any size should have in place a governance structure and process by which all of its risks are identified, assessed for impact and likelihood, appropriate controls identified and assessed, and tested from time to time. The level of sophistication of a organisation’s governance will obviously depend on the size and complexity of the organisation but even small organisations should take stock of their risks and controls from time to time. For medium to large organisations their governance arrangements are likely to follow more formalised frameworks such as ISO27001:2013 or COBIT 5 with clearly defined roles, responsibilities and processes.
At the smaller end of the scale organisations may adopt a less formalised approach but should ensure that documentation of the approach is maintained and that the approach clearly identifies the security decisions that need to be made, who makes those decisions and that these decisions are based upon relevant and reliable information to ensure all decisions are informed. Documentation is key to proving a governance approach has been defined and followed.
It is crucial that organisations have a Plan for responding to serious CyberCrime incidents so that when the inevitable happens everyone involved knows how to respond, and responds in a co-ordinated way. In this context a serious incident is one where the organisation’s ability to provide a service is or has been compromised or where a major attempt (either successful or not) has been made to obtain data criminally. Crucially a serious incident need not involve actual failure of the IT system or actual loss of data; a serious attempt to achieve these things should be enough to trigger a response plan.
Firms should develop a Data Incident Response Plan. The Plan should identify and empower an individual within the firm of sufficient authority to take charge in the event of an incident. This person need not be an IT professional.
Firms should ensure that the Plan has up-to-date contact details of the personnel who will need to be involved in implementation of the Plan.
The Plan should identify who needs to be informed of the incident, both internally and externally. (See Notifications, below.) Urgent consideration should be given (and the Plan should draw attention) to notifying:
These notifications should normally be made within 48 hours
It is also crucial to consider who in the organisation needs to be notified, at all levels, from front-line staff to directors. This should normally include:
The notification at this stage should explain all of the facts that are known; the nature of the breach, the extent, the impact on the firm and its customers, the potential financial loss, etc.
The notifications to relevant authorities must identify the person who has taken primary responsibility for management of the incident and include his or her contact details.
Consideration must be given to whether and how affected customers should be notified at an early stage, and the wording of that notification.
The Plan should be reviewed
by someone competent, on an annual basis.