Cyber risk: assess, plan, mitigate
Understanding cyber risk requires breaking down the various areas to know what needs to be protected, and then developing a comprehensive plan.
That was the overarching message from the presentation given by Alex Burnam, director, IT audit and security, Mazars, at the Cyber Expo in Dublin.
Burnam, said that under the headings of people, process and technology, there is a specific approach to be taken to reduce the risks of becoming a cyber victim.
Risks can be reduced, said Burnam, by breaking down specific areas of exposure and looking at the controls in those areas. Then understanding what ever is not covered, and taking action.
IT managers generally know the risks, he said, but often an auditor can help to get the message across, if IT is not being heard.
Burnam warned against complacency too, which can creep in around disaster recovery and back-ups giving a false sense of security.
Disaster recovery plans are worthwhile, he said, but there is a risk in restoring from data that may itself have been compromised.
“You have to know that what is being restored is validated and can be protected.”
Burnam said that organisations often find that when they go to restore from a back-up, they often end up going farther back than the desired recovery point objective (RPO), to ensure that they go back beyond any risk of compromise, to either data or applications. Consequently, organisations often find they are dealing with potential data loss for a longer period than planned.
Monitoring is become ever more important too, said Burnam, as it is only by knowing what normal is that abnormal or malicious can be readily identified and mitigated.
User awareness is key still, he said, for today and tomorrow’s threats.
Irrespective of whatever technological measures are being taken, Burnam said, “If you are not training your staff, you are still exposed.
Looking at on sector in particular, but with commonalities for many organisations, Marc Lowry, associate director, business development, Smith and Williamson, highlighted that even businesses that are clear targets are not doing enough to protect themselves.
Citing results from an annual survey of law firms, he said that 61% have reported attacks in last 12 months, up from 38% previously, but underreporting is still suspected.
Law firms in terms of the information they hold on clients and cases makes them an attractive target for cybercriminals.
The annual survey of law firms in Ireland has found that technology is a significant driver of change, said Lowry. Specifically, technology is seen as a driver of efficiency, a means of attracting and retaining the best talent and a higher priority for the business among the top 20 firms in the country.
Cyber risks are listed by many as a top concern, said Lowry, but many are “doing nothing about it”.
A significant proportion of those polled said they have no plan for cyber incident response, with 20% overall admitting such, rising to 33% outside Dublin. This is, said Lowry, despite reputational risk of an incident being of particular concern, and impact, for law firms.
Almost two thirds (61%) of Irish law firms have reported attacks in last 12 months, up from 38% previously, but underreporting is still suspected.
However, according to Lowry, “senior partners are now aware” of the issues.
The majority (64%) of breaches were caused by malware, topping phishing, but this may be an awareness issue, Lowry added.
Lowry put forward an interesting question regarding a ransom attack. Is a ransom a legitimate business expense? It could be argued so, he said, but finished with “Our advice: get advice!”