The Institute of Risk Management (IRM)

2nd floor Sackville House 143 - 149 Fenchurch Street London, EC3M 6BN
+44 (0)20 7709 9808
http://www.theirm.org
  • About IRM

    The Institute of Risk Management (IRM) is the world’s leading enterprise-wide risk education Institute. We are independent, well-respected advocates of the risk profession, owned by practising risk professionals. IRM passionately believes in the importance of risk management and that investment in education and continuing professional development leads to more effective risk management.  

    We provide qualifications, short courses and events at a range of levels from introductory to expert. IRM supports risk professionals by providing the skills and tools needed to put theory into practice in order to deal with the demands of a constantly changing, sophisticated and challenging business environment. We operate internationally, with members and students in over 90 countries, drawn from a variety of risk-related disciplines and a wide range of industries. 

    As a not-for-profit organisation, IRM reinvests any surplus from its activities in the development of international qualifications, membership, short courses and events. 

Sharing the risk of Cyber threat

Sharing-the-risk-of-Cyber-threat

The leading cyber threats to UK businesses last year were ransomware attacks, data breaches, supply chain threats and fake news stories, according to the 2017/18 report from the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).

The report also highlighted the increasing interconnectivity of the risks that businesses face and “the real-world harm that can result from cyber attacks, particularly when they are designed to self-replicate and spread”.

The report goes on: “It is clear that even if an organisation has excellent cyber security, there can be no guarantee that the same standards are applied by contractors and third party suppliers in the supply chain. Attackers will target the most vulnerable part of a supply chain to reach their intended victim”.

However, the authors have recommended a number of steps that businesses can take to reduce the risk of falling victim to an attack, either directly or indirectly.

Ransomware and distributed denial of service attacks

The risk of ransomware attacks is already high profile – for example, everyone will remember the WannaCry attack in May 2017, which reportedly infected 300,000 devices across 150 countries and impacted massively on the NHS in the UK. However, ransom-based distributed denial of service attacks – where criminals threaten to overload web-based systems, disrupting legitimate business – are also an increasing risk. In late 2017, for example, a hacking group targeted financial institutions, hosting providers, online gaming services and software-as-a-service organisations across Europe, Asia and the US, demanding a ‘re-instatement of services’ payment in Bitcoin.

The NCSC recommendations to guard against such attacks include deploying critical security patches as soon as possible, using an always-on antivirus solution that scans new files, conducting regular vulnerability scans and actioning critical results, implementing application whitelisting technologies to prevent malware running on hosts, implementing a policy of least privilege for all devices and services and establishing configuration control and management.

Data breaches

The number and scale of data breaches continued to increase in 2017. Examples in the report include the personal information of 145 million US and almost 700,000 UK users of credit ratings agency Equifax being compromised, and Uber admitting paying hackers US$100,000 to destroy the stolen, unencrypted data from 57 million accounts.

Analysis indicated a large number of incidents were caused by third party suppliers failing to secure data properly.

NCSC recommendations include the same guidance as for ransomware attacks, but also cover protecting both endpoints by using up-to-date and supported operating systems and software, using firewalls and multi-factor authentication to protect sensitive information, preventing password reuse between systems and implementing a practical monitoring and alerting service.

Supply chain compromises

Supply chain attacks in 2017 included compromising a large number of managed service providers, enabling access to commercially sensitive data from them and their clients. At least two software companies had their products compromised at source, resulting in their customers being infected with malware when downloading software and updates.

The NCSC recommends that businesses work, where possible, with companies certified through the NCSC Cyber Essentials Scheme14, or those that can demonstrate that they’ve followed the NCSC’s 10 Steps to Cyber Security15, and follow the principle of ‘least privilege’, especially for external parties that may need remote access into their networks.

Fake news and information

The spreading of fake news on social media (for example by disgruntled employees or competitors) can not only damage a company’s reputation but can also affect share prices or sales.

While the NCSC/NCA report says that fake news is not, strictly speaking, a cyber threat, it is one of the many tools available to those wishing to cause harm. In May 2017, at least six Indian restaurants in the UK were reportedly targeted, with one seeing its revenue fall by half after a fake story was spread on social networking sites.

It can happen to anyone

Even when companies have put in place all the mitigations recommended in the report, the risk of an attack can never be ruled out, and early reporting remains essential to mitigating the impact should the worst happen.

Risk managers should make sure they and relevant colleagues know how to use the new 24/7 live cyber attack reporting service run by Action Fraud, the national fraud and cyber crime reporting centre for the UK. By encouraging companies to report attacks as they are in progress, the service aims to help law enforcement stop the attack if possible and secure evidence that will assist an investigation.

And if you think it couldn’t happen to you, take a look at the case studies in the report and consider whether your systems are more protected than some of the big-name and presumably tech savvy companies affected – and also ask whether your suppliers and customers are as well prepared as you.

As Ciaran Martin, Chief Executive Officer, NCSC, puts it: “My hope is that by sharing our experiences of exposure to cyber incidents, we raise awareness across the board and, as a result, improve the nation’s cyber defences for good”.