Do you know what cyber and cyber risk is? Do you know who is at risk? This guide will help you to understand cyber security and risk, so you can assess this within your own business or organisation. You’ll find the quick summary at the start to save you time and cut to the key points you need to know. The rest of this blog will give you the detail so you understand the importance, as well as help you gain the knowledge you need.
- Everyone is at risk, but some sectors more than others.
- There are many types of attacks and threats, not all of them are external.
- You cannot ignore cyber risk, you must at minimum assess it to make an informed decision on your next actions.
- Preparation and prevent is key to surviving and recovering from a cyber-attack.
- Risk;
- Loss of reputation
- Loss of ability to operate
- Financial penalties
- Failure to win new business and retain existing customers.
1 – What is Cyber?
The world continues to turn and swirl and “cyber” continues to be a hot topic.
The word cyber is put in front of other words without context or meaning for example; cyber security, cybercrime, cyber threat, cyber-attack and so on.
Cyber, the dictionary definition, denotes information technology (IT) devices and all tasks and actions completed. Including collecting, storing, processing, transmitting, accessing and linking data. Cyber by itself describes all actions we complete on our business and personal electronic devices.
Cyber Security definition, precautions taken to protect against crime that involved the internet, especially unauthorised access to computers systems and data connected to the internet.
What does it really mean, and what should you care about. Taking the “CYBER” out of the equation let’s take a step back.
Information Security definition; the design and implementation of protocols used to guard against unauthorised access to, modification of, or destruction of confidential data (in any format). This has a wider scope than just cyber-attacks & cyber security.
With so much information available, it can be difficult to know where to look and which solution is best for your business. At Net-Defence, we are striving to simplify cyber security, making it affordable, attainable and available to all.
We have developed a Cyber Security Assurance program. This provides the systems, policies, mechanisms, processes and certifications needed to provide certainty, confidence and trust that IT infrastructure is secure, reliable and protected!
The Core principles; prevent, detect and respond to potential and actual threats to your IT infrastructure.
2 – What is a Cyber Attack?
Malicious attempts to access your business or personal computers, mobile phones, gaming systems and any other device that is connected to the internet or Bluetooth-connected devices.
- Malware – file or code that infects a network to perform any action the attacker wants
- Ransomware – type of malware, locks your system preventing access to any systems or data.
- Phishing– social engineering attack to steal data e.g. log in credentials, financial information.
- Denial of Service (DoS)– attack to shutdown machine, network or website making it inaccessible.
- Credential Reuse– the attacker is able to obtain valid credentials for one system and then tries to use the same credentials to compromise other accounts/systems.
- SQL Injection Attack– used to gain unauthorised access to web application database by adding malicious code.
- Cross-Site Scripting (XSS)– injects malicious executable scripts into the code of a trusted application or website to steal data such as credentials and financial information.
- Session Hijacking and Man-in-the-Middle Attacks– an attacker is positioned between two communicating parties in order to intercept and/or alter data traveling between them.
- Credential Reuse– the attacker is able to obtain valid credentials for one system and then tries to use the same credentials to compromise other accounts/systems.
3 – Cyber Risk
Cyber risk is the chance of exposing business information and IT & communication systems to an unauthorised person or circumstances capable of causing loss or damage.
Business information; information that holds meaning, value or significance for your business.
Risk implies the likelihood or probability of an event occurring. Therefore, this is the risk-based probability of a bad event happening to your business information systems leading to the loss of confidentiality, integrity or availability of your system.
Risk can originate from anywhere including; an attack, 3rd party vendors/supplier with weak security or internally from a rogue employee, by accident or from failure to adopt security best practices.
We all manage risk this was in our everyday life, most likely subconsciously.
Protecting our homes, door locks and alarms to CCTV and 24/7 security. We decide what we need based on risk and how much we can live with so we can enjoy life without worry.
Protecting our children, we teach them from day one about safe behaviours, how to cross the road and so on. Again, we decide this based on risk factors.
Every organisation also operates with risk, some are more familiar than others such as health and safety and financial risk. Cyber and Information Security risk cannot be ignored, as protecting your business information and communication systems are critical to your ability to operate.
Assessing the risk:
The industry standard for assessing IT systems and applications is known globally as the CIA Triad. This is made up of 3 key concepts; Confidentiality, Integrity & Availability.
This is also part of Business Continuity Planning (BCP) and Disaster Recovery (DR) processes.
- Confidentiality (Access Control):
Confidentiality means ensuring that information is accessible only to those authorised to have access - Integrity (Accuracy):
Integrity means safeguarding the accuracy and completeness of the information. - Availability (Accessible):
Availability means ensuring that authorised users have access to information and associated systems when required.Risk can either be; accepted, mitigated or transferred.
4 – Probability & Who is at risk?
As I meet with customers, suppliers and peers this is a question that is becoming the most asked. “Who is at risk and why?”.
Within the information & cyber security sector, the world has moved on from the thought process of “if” an attack will happen to “when” it happens. So, what sector has the greatest target on its back?
Before I get in to more detail, you need to get a little in to the mindset of the cybercriminal. Who are they, why are they attacking and what is the aim of their attack?
- state-sponsored threat actors – these are often funded by hostile foreign governments
- hacktivists – their purpose is to further social or political objectives
- individual or teams of cybercriminals out for their own gain
- Financial gain
- Data theft
- Large scale service interruption
- Raise awareness of social and political issues
- Individual kudos
- Business or customers financial information
- Sensitive personal data
- Customers’ or staff email addresses and login credentials
- Customer databases and clients lists
- IT infrastructure
- IT services (e.g. the ability to accept online payments)
- Intellectual property (e.g. trade secrets or product designs)
We hope you have found this guide useful, it is part of a series which can be found on our website at www.net-defence.com.
Our team can be reached on 03300 0241666 or contact@net-defence.co.uk should you have questions or want to better understand what your business needs.
