A
A
IS FOR
Assurance
Can you rest in the knowledge that your organisation is safe from cyber attacks? The continuous development of new methods to connect and share information increases the chance of a cyber security threat, and cyber incidents are unpredictable and unforgiving. So protecting your intellectual property, your customer’s data and other business critical information is pivotal to your growth, innovation and reputation. Robust assurance includes assessing how effective your current...
systems are, identifying key cyber risks, reviewing third party risk management arrangements, complying with industry, regulatory and legal standards, and creating ongoing programmes to preserve and enhance your privacy and cyber security systems.
Want to find out more about digital risk?
Click here for more insights
BACK
MORE
B
B
IS FOR
'BYOD'
MORE
Bring your own device (BYOD) is a growing trend in which employees use their own smartphones, tablets and laptops to access business servers and data. “Employees want to use the devices they are comfortable with,” says Mark Coates, EMEA AP at Dtex Systems. “By giving them what they want, companies will ultimately benefit.” The flexibility, IT cost savings and convenience of this strategy do, however, have to be weighed against the cyber security risk of connecting unsecured...
devices to a company’s system.
BACK
C
IS FOR
Cyber attacks
C
C
MORE
The number of cyber attacks causing losses in excess of $1m have increased by 63% during the past three years (1).
Cybersecurity Ventures (2) estimates the annual global cost of cyber attacks will hit $6 trillion by 2021, with companies set to spend in excess of $1 trillion on cyber security. According to the National Audit Office (3), 80% of all cyber attacks could potentially be avoided by exercising good cyber hygiene.
1. Global cyber-incidents soar by 63% in the last three years, Linklaters, January 2019
2. Cybercrime Damages $6 Trillion By 2021, Cybersecurity Ventures, 2018
3. The UK cyber security strategy: Landscape review, National Audit Office, 2013
BACK
References
D
D
IS FOR
the Dark web
Part of the internet not visible to ordinary search engines, the dark
web requires the use of an anonymising browser to be accessed.
Despite many legitimate uses, it is overwhelmingly used for criminal activity. You can buy credit card numbers, counterfeit money, stolen subscription credentials and hacking kits.
E
E
IS FOR
Employees
MORE
Businesses have ploughed billions of dollars into technology and software that promises to keep cyber threats at bay. Total global spend on antivirus software, for instance, will reach $3.77bn in 2019, according to market research group ARC . Companies might have sophisticated cyber security software, but that won’t prevent the human error that’s behind many cyber breaches. After all, it’s the human workforce that responds to phishing emails and installs unauthorised software...
References
1. Global Antivirus Software Market Growth (Status and Outlook) 2019-2024, Analytical Research Cognizance (ARC), February 2019
BACK
Instead of relying too heavily on software to fight digital threats, ramp up investment in digital risk skills for employees.
F
F
F
IS FOR
Fake boss fraud
MORE
A 2018 UK report by Get Safe Online and Lloyds Bank (1) showed that 454,960 businesses had been hit by ‘fake boss’ scams, with SMEs losing an average of £27,000 when targeted. Using personal data to impersonate managers or business contacts, fraudsters contact staff asking them to transfer money. “The email will be carefully crafted. It may contain reference to some personal information – often gained from social media – to make it look genuine,” says technical...
BACK
manager at the ICAEW’s IT Faculty, Mark Taylor. Some 53% of report respondents said they had experienced scammers posing as their CEO, with 8% having fallen victim to impersonation fraud. Data from Lloyds Bank reveals a 58% rise in reported impersonation frauds in 2018.
G
G
G
IS FOR
Grant Thornton’s
cyber security services
We have identified that business rather than technology issues are exposing companies to risk. We work with organisations across the globe to identify their cybersecurity needs and plan a response to the threats. We efficiently assess risk and help our clients manage it by improving culture, technologies and processes across the enterprise. In the event of a security incident, we can provide a rapid, practical response to get organisations operating securely again as fast as possible.
H
H
H
IS FOR
Hacking
The term might be overused, but hacking – any unauthorised access to information, data or systems – remains a major threat. “People traditionally think of hackers with cyber tans, sitting in their bedrooms at two o'clock in the morning, trying to attack invisible organisations,” says partner at Grant Thornton LLP, James Arthur. “Now, hacking is often more sophisticated than just one individual trying to hack into one system.”...
BACK
Hacking has even developed into a highly organised industry.
“The sophistication allows criminals to mount cyber attacks against huge numbers of organisations at very low cost,” adds technical manager at the ICAEW’s IT Faculty, Mark Taylor.
MORE
I
I
IS FOR
Internet of Things
MORE
What’s more vulnerable than a device containing your personal data? A network of interconnected devices. European vice president of cyber security at Nuvias Group, Ian Kilpatrick, says the Internet of Things (IoT) is a growing concern: “Driven by the convenience and benefits that IoT can deliver, the technology is being increasingly deployed by many organisations, with minimal thought as to the cyber security risks and potential consequences.” CEO of BullGuard,...
BACK
Paul Lipman, says that the mundane nature of many devices prevents them being properly protected, and smart connected devices are
highly susceptible.
J
J
IS FOR
Jail terms
MORE
Among 2018’s cyber sentences (1) were:
10 months: Briton Gavin Prince, for a revenge cyber attack against his former employer
5 years each: Ukrainians Inna Yatsenko and Gayk Grishkyan, for multiple attacks and extortion, including of a dating site
9 years: American Travon Williams, for leading a gang making fake credit cards from data bought on the dark web...
BACK
12 years: Russian Vladimir Drinkman, for selling 160 million credit
card numbers
32 years: Briton Matthew Falder, for online torture of victims via the
dark web
1. Quarterly cybercrime digest: Sentencing, We live security, 2018
References
I
K
K
IS FOR
Hacking kits
MORE
Available cheaply on the dark web as well as through legal channels, hacking kits contain a variety of tools that a wannabe hacker might use to gain access to your system. Including items such as anonymity tools, carding software, keyloggers, wifi pineapples and malware, these are used to exploit weaknesses in your cyber security to gain access to confidential information. They can also be custom built to target particular software and databases, allowing the hacker to...
BACK
compromise your system or data, as well as potentially creating a back door so they can continue to exploit the company over the long-term.
On the dark web, hacking kits are often sold alongside user manuals
that guide people on how to use them against victims.
L
L
IS FOR
Liability insurance
Designed to support your business if it experiences a data breach or is the subject of cyber attacks, liability insurance may include protection against cyber extortion, costs of investigating a breach and support to mitigate reputational damage. However, insurers often use different terms and inclusions and many claims end up being disputed.
M
M
IS FOR
Malware
Malware – malicious software – is designed to do damage.
“Cyber criminals create malware to exploit the vulnerability, to gain access to your systems, hold your data to ransom, or steal it. They may impersonate a well-known brand to deliver it via email, convincing you to click on a link or open an attachment,” says head of security at Xero,
Paul Macpherson.
N
N
IS FOR
News
MORE
With cyber-crime still on the rise, it’s no surprise that across the globe news headlines frequently feature major companies like Marriott, Equifax and Facebook who’ve suffered a cyber-attack. Failing to shore up your cyber defences can, at best, be costly and, at worst, threaten the very survival of a company. The direct financial hit that a business takes doesn’t account for the long-term reputational damage and loss of trust that it suffers when its systems are breached...
BACK
and the story makes local or even global news headlines.
O
O
IS FOR
Open doors
Open doors are parts of internet-facing infrastructure where personal information can be accessed by anyone who knows where to look.
Web pages and databases that contain personally identifiable information, that aren’t secure or encrypted, can be a veritable goldmine for cyber criminals.
P
P
IS FOR
Privacy
MORE
Interestingly, two-thirds of businesses focus more effort on mitigating data privacy than on cyber security risks, according to Grant Thornton’s latest International Business Report (IBR) survey. And the majority (59%) are actively preparing for the next wave of privacy regulation. This comes as no surprise given the proliferation of data privacy regulation. But privacy is only possible if businesses ensure their security settings are up to date. Fraud prevention service Cifas advises...
BACK
companies to conduct regular software updates to patch infrastructure vulnerabilities that could be creating cyber security loopholes.
Q
Q
IS FOR
Quick response
No organisation wants to fall victim to successful cyber attacks.
Working out the impact of the immediate damage, worrying about what’s still to come, wanting to act but knowing it’s probably too late. Having good perimeter defences and effective controls are the foundation of good cyber security, but they are not a fail-safe. You also need to think about your response when there is an incident and who can help you when it’s really needed.
R
R
IS FOR
Risk management
MORE
Cyber isn’t just a technical problem – it’s a risk that should be managed in a similar way to all other business risks. While it may not be possible to completely prevent risk, understanding how your organisation functions around technology, from hardware and data to people and business processes, will help identify particular areas of weakness...
BACK
As with all internal and external risks, this is something boards need to do as part of their overall risk strategy and not just assume their head of IT has it handled.
S
S
IS FOR
Supply chain risk
Even if you think your supply chain and systems are secure, cyber criminals might choose to attack you through third parties. In 2014,
US retailer Target suffered a breach using network credentials stolen
from an HVAC vendor that compromised the data of more than 70 million customers, cost $18.5 million in settlements and led to the resignation
of its CEO.
T
T
IS FOR
TTPs
Tactics, techniques and procedures (TTPs) are the “patterns of activities or methods associated with a specific threat actor or group of threat actors,” according to the Definitive Guide to Cyber Threat Intelligence. Penetration testing is designed to simulate TTPs used by hackers in order to strengthen security postures and ensure greater resilience to
cyber threats.
U
U
IS FOR
Updates
Also commonly referred to as patching, one of the key tenants of any cyber security arrangement is ensuring that you run software updates. The majority of cyber attacks make use of known software exploits for which updates are available. For example, if all UK NHS Trusts had conducted software updates when advised, most of the world would never have heard of WannaCry.
V
IS FOR
Vulnerabilities
Vulnerabilities exist in almost every computer environment, including in software, hardware and their human operators. Hackers are adept at identifying them with increasing ingenuity, across every manner of system. We are seeing double digit increases in overall system vulnerabilities, across every variant of device.
V
IS FOR
WannaCry
MORE
On 12 May 2017, the WannaCry global ransomware attack hit, locking down more than 200,000 computers in over 100 countries. Although not a specific target, the NHS was the UK’s biggest victim. Some 19,000 patient appointments had to be cancelled, with five A&E departments turning patients away until 19 May, when the NCSC and the National Crime Agency managed to halt the attack. It used a known exploit that the majority of NHS bodies had applied a patch against...
BACK
No ransom was paid, but the government put the cost of WannaCry to the NHS at £92 million.
X
X
IS FOR
XCyber
MORE
XCyber is a cyber security firm focused on the human side of cyber attacks. Formed by a team with more than 200 years of cyber experience and leadership in the British government, it has advised law enforcement, intelligence and security services across the globe on cyber security and defence. It produces intelligence-led, data driven and evidence based reporting to provide insights organisations case use...
BACK
Its proprietary intelligence platform, Tsunami Buoy, is a key component in our covert imminent breach system (CIBS) subscription.
Y
Y
IS FOR
Your future
MORE
Cyber security can be one of the greatest risks to a business anywhere in the world. This is due to the damage cyber attacks can cause to a company’s immediate business capability and its reputation. The extent of the damage may depend on the size of the breach, how quickly and effectively the company is perceived to have acted, the number of stakeholders affected and the company’s pre-existing reputation...
BACK
Having all the protections and systems in place to prevent a breach and mitigate any fallout is crucial for the longevity of your company.
Z
Z
IS FOR
Zero-day
A zero-day vulnerability refers to a cyber security hole in software that is unknown to its maker, or to antivirus companies. This means the vulnerability is also not yet publicly known, though it may already be known by cyber criminals who are quietly exploiting the flaw. Zero-day refers to the fact that developers have zero days to fix the problem once the vulnerability does become publicly known, at which point they have to work quickly to fix the issue and protect users.
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
Want to find out more about digital risk?
Click here for more insights
Click here for more insights
1. ‘Fake boss’ scams highlighted in Fraudstars awareness campaign, Get Safe Online
and Lloyds Bank, 2018
References
W
W
M
W
K
