Risk managers must lead charge against new wave of cyber crime

Key speaker Paul Dwyer, security GRC principal, Eircom Group, warned that the fight against cyber crime lacks coordination and called on risk managers, and in particular chief risk officers, to lead industry’s charge against the risk. The discussions held at Liverpool’s BT Convention Centre this week, follow the publication of a recent Cabinet Office report that says cyber crime costs the UK economy £27bn per year. Business shoulders the majority of the costs, it adds. “There is a new cyber threat type, that we call the advanced persistent threat, which uses combinations of sophisticated technologies and techniques to attack infrastructures. The combinations that are being used are such that traditional defences alone are no longer enough,” said Steve Daniels, head of cyber security and information assurance at the information intelligence experts Detica.hideThe old threats such as malware, pharming and phishing of data, viruses, data losses on physical media and traditional laptop theft have not gone away, continued Mr Daniels. And the old controls, such as anti virus, intrusion detection and data loss prevention technologies, are all still valid, he added. But what distinguishes the advanced persistent threat is both the combination of methods used and the creation of new malware that the last generation of detectors cannot pick up. “Today’s solution needs high speed probes to collate the network traffic, classic data analytics tools and people who know what they are looking for to identify that here is a new pattern. You need proven products to read this data at line speed, other products that can read the inferences and connections and then skilled individuals who can recognise the pattern,” he continued. Understanding of cyber crime and its evolution is growing, said Ben Rendle, a cyber expert at Detica. But people are not always fully aware of the threats or have a proper understanding of how it affects business. Detica has undertaken primary research with Ipsos MORI to gauge the level of awareness of the new cyber threat amongst CXOs at large public and private organisations. It showed that 60% of respondents recognised that if the cyber threat manifested itself in their organisation their competitiveness would be affected. But only 6% recognised that they did not have the right controls in place to meet this new risk. “This is concerning,” said Mr Daniels. “In other words 54% considered it is a new problem with new features and new significance but that old solutions would solve the issue.” The overall cost to the UK business from cyber crime is £21bn per year, according to the first joint government and industry report into the extent and cost of cyber crime across the UK. For the country as a whole the figure is £27bn. The report, launched late last month by the Office of Cyber Security & Information Assurance in the Cabinet Office and Detica, places the theft of Intellectual Property (IP) from business at £9.2bn per annum. Industrial espionage has the second highest impact on business at £7.6bn, followed by £2.2bn from extortion, £1.3bn from direct online theft and £1bn from the loss or theft of customer data. The hardest hit sectors are pharmaceuticals and biotech, electronics, IT and chemicals. The report recommends that the UK needs a more comprehensive picture of cyber crime in order to tackle this issue and that UK businesses interact closely with government to share data and raise awareness of threats to their security. Mr Dwyer of Ericom Group said at the forum that government’s and business’ attempt to combat cyber crime is not properly coordinated. “Government bodies, especially in the states, are taking care of government infrastructure but that is not critical national infrastructure from the point of view of taking money from a cash machine for example, they are saying that is a private matter,” he explained. In the absence of a fully coordinated approach Mr Dwyer called on risk managers to help solve the issue. It is far from simply an information technology issue and the real weakness in the chain is often people and processes, continued the cyber expert. As such an organisation’s attempt to combat cyber threat must come from the top down. It must be coordinated and the role of the risk manager or chief risk officer is crucial, he added. The first key element, he advised risk managers, is to profile your organisation and work out what are the cyber risks or threats pertinent to your operations. These will be very different depending on your sector. Then you need to perform a cyber threat, or risk, assessment and create a risk treatment round that, he added. He urged risk managers to use the tried and tested risk procedures and frameworks—there is no need to recreate the wheel. Whilst most organisations are able to handle most crises, such as flooding, many lack the ability to crisis manage a cyber attack, warned Mr Dwyer. By the time they notice that something is up their data is often corrupt or their website has been taken down, he said. “So it is about being able to detect things early, which is a combination of detective and preventative controls. You are going to have to have a cross functional forum to deal with this across the organisation.”

Risk managers must lead charge against new wave of cyber crime

Want to read this article?

Read Next

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Insurance Europe calls for EC to ‘get it right’ on Solvency II

Arch Insurance International names deputy CEO

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Insurance Europe calls for EC to ‘get it right’ on Solvency II

Arch Insurance International names deputy CEO

Want to read this article?

Read Next

Dubai floods put $8bn of aircraft at risk, estimates Russell Group

Parima heads to Manila for first of three conferences this year

Munich Re ‘more likely’ to exceed 2024 profit target after €2.1bn gain in Q1

Insurance Europe calls for EC to ‘get it right’ on Solvency II

Arch Insurance International names deputy CEO

Related Articles