Cyber Attack is not the Risk

Reports emerge on a regular basis of attacks that have impacted government and private sector organisations alike. Insurance firms now offer policies to protect against cyber-attack and the Australian Government has even appointed a special advisor to the Prime Minister on cyber security.  Not to mention that consulting companies with a speciality in all things cyber are generating revenues the likes of which have not been seen since the days of the Y2K crisis.

But there is a problem – cyber-attack is not a risk – it is a cause. In fact, it is not just the cause of one risk but two:

  • unauthorised release of confidential information; and
  • disruption to XYZ system for a period exceeding Maximum Acceptable Outage.

Don’t get me wrong, cyber-attack is a significant issue and I am certainly not downplaying the fact that it has cost business and government organisations alike millions upon millions of dollars.  The purpose of this blog, therefore, is not to try and convince people it is not an issue, but instead to highlight that it is but one of many ways that could lead to the above risks materialising.  In fact, with the emphasis placed so heavily on protection against cyber-attack, organisations may be leaving themselves vulnerable to other (more likely) ways that these risks can occur.

So, let’s start with the first of these risks and look at the ways that confidential information can be released to a party/ies that it shouldn’t be.  Some of them may be far-fetched – but I have included actual examples reported in the media to demonstrate that they can, and have, happened.

Unauthorised release of confidential information

Direct cyber-attack on the organisation from external players

Direct cyber-attack on third party storing organisation’s information

Unauthorised sharing of system access (log in) information with another party

Computer left unlocked when person away from desk

Access not removed when employee leaves organisation

Introduction of a virus through opening of email attachment, accessing suspicious website or inputting external storage device

Introduction of a virus through inputting external storage device

  • No examples but certainly a possibility, particularly in organisations that still allow use of USB/CD/DVD

Deliberate act by a person who has access to information to release electronically or in hard copy

Unencrypted data storage device with confidential information lost

Information printed by someone which is removed from the printer by someone without authority

Information taken from a person’s desk/work area while unattended

Information released (deliberately or inadvertently) by a service contractor’s personnel

Inadvertent publication of information on organisation’s website or by email

Transmission of confidential information via non-secure means that is sent to the wrong recipient/s (email/fax/mail)

Items lost/misplaced during change of office locations

Confidential information left in furniture/safes or on hard drives sent for sale/ disposal

Files (hard or electronic) lost or stolen while in the possession of a person  outside of the office

Theft through unauthorised entry into premises

Information not disposed of/ destroyed appropriately by rubbish removal contractor

  • No examples but certainly a possibility

Information not disposed of/ destroyed appropriately by member of staff (e.g. confidential information disposed of in standard waste bins)

It is critical, therefore, that we ensure that controls are in place and are effective for all the ways in which unauthorised release of information can occur, otherwise you are not managing the risk in its entirety but focussing on controls for only one of the possible ways it can occur.

The other factor to consider here is the ownership of the risk.  I have seen it predominantly being considered an IT risk, however, when we look at some of the causes across those scenarios and the ownership of the controls, it becomes obvious very quickly that this is a whole of organisation Enterprise level risk.

As I covered in my previous blog Risk Tip # 6 – Managing Shared Risks, the stakeholders involved in the prevention, detection and response to this risk sit right across the organisation as shown in the stakeholder map below:

If we move to the second risk, we can see that, once again cyber-attack is a cause – but it is not the only cause:

Disruption to XYZ system for a period exceeding Maximum Acceptable Outage

Direct cyber-attack on the organisation from external players

Cyber attack: NHS paralysed by hackers using NSA tool – The Guardian Australia

Direct cyber-attack on 3rd party managing system

How Census fail 2016 unfolded – Computerworld

Hardware failure

Software failure

Deliberate or inadvertent act by an individual inside the organisation

Deliberate or inadvertent act by a person at a third party provider

Capacity of the system exceeded

Access not removed when employee leaves organisation

New system implemented with inherent flaws

Power Surge

Once again, this is not only an IT risk, it involves multiple stakeholders, each managing controls that need to be effective in order to manage the risk as a whole.

In summary, you may have the best cyber-security in the world, however, without ensuring the effectiveness of controls associated with all of the ways there can be an unauthorised release of information or a disruption to service, organisations may be leaving themselves exposed whilst at the same time thinking they have the risk ‘in hand’.

Just remember – arguably the biggest leaks in history – Wikileaks, Edward Snowden and the Panama Papers, all of which had global consequences, were not caused by a cyber-attack.

SUBSCRIBE TO OUR NEWSLETTER
Unleash your inner risk gladiator! Join our mailing list for all the latest news, tips, and special offers.
FREE RISK MANAGEMENT E-BOOK
This free E-book dives into risk management, exploring the issues and concepts involved in effectively managing risks in an accessible and comprehensive manner applicable to organisations of all shapes and sizes.
{Download-submit}