Risk management consultancy and training services

Call Us:

(+61) 400 666 142


Canberra ACT 2600

Cyber Attack is not the Risk

Cyber Attack is not the Risk

Aug, 14, 2017
by Rod Farrar

Reports continue to emerge on a regular basis of cyber-attacks that have impacted Government and private sector organisations alike. Insurance firms now offer policies to protect against cyber-attack and, at one point, the Australian Government even appointed a special advisor to the Prime Minister on cyber security. Not to mention that consulting companies with a specialty in all things cyber are generating revenues, the likes of which have not been seen since the days of Y2K.

But there is a problem, cyber-attack is not a risk, it is a cause. In fact, it is not just the cause of one risk but two:

  • Unauthorised release of, amendment to, and/or use of, corporate and/or confidential information stored electronically; and
  • Loss of, and/or loss of access to, records stored electronically.

Don’t get me wrong, cyber-attack is a significant issue and I am certainly not downplaying the fact that it has cost business and government organisations alike millions upon millions of dollars.

The purpose of this rant, therefore, is not to try and convince people it is not an issue, but instead to highlight that it is but one of many ways that could lead to the above risks materialising. In fact, with the emphasis placed so heavily on protection against cyber-attack, organisations may be leaving themselves vulnerable to other (more likely) ways that these risks can occur.

So, let’s start with the first of these risks and look at the ways that confidential information can be released to a party/ies that it shouldn’t be. Think some of them are far-fetched, well I have included examples and headlines to demonstrate that they can, and have, happened.

Unauthorised release of confidential information

Direct cyber-attack on the organisation from external players

Direct cyber-attack on third party storing organisation’s information

Unauthorised sharing of system access (log in) information with another party

Computer left unlocked when person away from desk

Access not removed when employee leaves organisation

Introduction of a virus through opening of email attachment, accessing suspicious website or inputting external storage device

Introduction of a virus through inputting external storage device

  • No examples but certainly a possibility, particularly in organisations that still allow use of USB/CD/DVD

Deliberate act by a person who has access to information to release electronically or in hard copy

Unencrypted data storage device with confidential information lost

Information printed by someone which is removed from the printer by someone without authority

Information taken from a person’s desk/work area while unattended

Information released (deliberately or inadvertently) by a service contractor’s personnel

Inadvertent publication of information on organisation’s website or by email

Transmission of confidential information via non-secure means that is sent to the wrong recipient/s (email/fax/mail)

Items lost/misplaced during change of office locations

Confidential information left in furniture/safes or on hard drives sent for sale/ disposal

Files (hard or electronic) lost or stolen while in the possession of a person  outside of the office

Theft through unauthorised entry into premises

Information not disposed of/ destroyed appropriately by rubbish removal contractor

  • No examples but certainly a possibility

Information not disposed of/ destroyed appropriately by member of staff (e.g. confidential information disposed of in standard waste bins)

It is critical, therefore, that we ensure that controls are in place and are effective for all the ways in which unauthorised release of information stored electronically can occur. If we don’t we are not managing the risk in its entirety. Instead, we are focussing on controls for only one of the possible ways the risk may materialise.

The other factor to consider here is the ownership of the risk. I have seen it predominantly being considered an IT risk, however, when we look at some of the causes across those scenarios and the ownership of the controls, it becomes obvious very quickly that this is a whole of organisation Enterprise level risk.

As I covered in Risk Tip # 6 – Managing Shared Risks, the stakeholders involved in the prevention, detection and response to this risk sit right across the organisation as shown in the stakeholder map below:

If we move to the second risk, we can see that, once again cyber-attack is a cause – but it is not the only cause:

Disruption to XYZ system for a period exceeding Maximum Acceptable Outage

Direct cyber-attack on the organisation from external players

Cyber attack: NHS paralysed by hackers using NSA tool – The Guardian Australia

Direct cyber-attack on 3rd party managing system

How Census fail 2016 unfolded – Computerworld

Hardware failure

Software failure

Deliberate or inadvertent act by an individual inside the organisation

Deliberate or inadvertent act by a person at a third party provider

Capacity of the system exceeded

Access not removed when employee leaves organisation

New system implemented with inherent flaws

Power Surge

Once again, this is not only an IT risk, but also involves multiple stakeholders, each managing controls that need to be effective to manage the risk holistically.

In summary, you may have the best cyber-security in the world, however, without ensuring the effectiveness of controls associated with all the other ways there can be an unauthorised release of information or a disruption to service, organisations may be leaving themselves exposed whilst at the same time thinking they have the risk ‘in hand’.

Just remember, the biggest leaks in history, Wikileaks, Edward Snowden and the Panama Papers, all of which had global consequences, were not caused by a cyber-attack.

Written by Rod Farrar

Rod is an accomplished risk consultant with extensive experience in the delivery of professional consultancy services to government, corporate and not-for-profit sectors. Rod takes every opportunity available to ensure his risk management knowledge remains at the ‘cutting edge’ of the discipline. Rod’s Risk Management expertise is highly sought after as is the insight he provides in his risk management training and workshop facilitation. Rod was recognised by the Risk Management Institution of Australia as the 2016 Risk Consultant of the Year and one of the first five Certified Chief Risk Officers in Australasia.