eBook - ePub
Managing Cybersecurity Risk
How Directors and Corporate Officers Can Protect their Businesses
- 200 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Managing Cybersecurity Risk
How Directors and Corporate Officers Can Protect their Businesses
About this book
'Managing Cybersecurity Risk is a comprehensive and engrossing guide for organizations of any size' Infosecurity Magazine
Everything you need to know to protect from and react to a cyber attack
Cybersecurity risk is an increasingly key topic to all those engaged in business and commerce. Widely reported and increasing incidents of cyber invasion have contributed to the growing realisation that this is an area all businesses should understand, be prepared for and know how to react when attacks occur.
While larger corporates now pay close attention to defending themselves against cybersecurity infringement, small to medium businesses remain largely unaware of the scale and range of threats to their organisations.
The aim of Managing Cybersecurity Risk is to provide a better understanding of the extent and scale of the potential damage that breaches of cybersecurity could cause their businesses and to guide senior management in the selection of the appropriate IT strategies, tools, training and staffing necessary for prevention, protection and response.
Foreword by Baroness Pauline Neville-Jones, Chair of the Advisory Panel on Cyber Security and contributors include Don Randall, former Head of Security and CISO, the Bank of England, Ray Romero, Senior Assistant Director, Division of Information Technology at the Federal Reserve Board and Chris Gibson, Director of CERT-UK.
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
- Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
- Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā even offline. Perfect for commutes or when youāre on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Managing Cybersecurity Risk by Jonathan Reuvid in PDF and/or ePUB format, as well as other popular books in Business & Business Strategy. We have over one million books available in our catalogue for you to explore.
Information
PART ONE
Cybersecurity ā No Longer an Option
1.1
INTRODUCTION TO CYBERSECURITY RISK
Ben Johnson, Sam Millar and Helen Vickers, DLA Piper UK
MACRO-ECONOMIC INDICATORS
Cyber crime is a broad term encompassing any crime committed by way of a computer or the internet. We acknowledge that cyber crime is an extremely complex subject; however, we aim to provide readers with an introduction to cybersecurity risk and to emerging best practice. Cyber crime is a constantly evolving threat. Recent analysis shows that cyber crime cost the UK more than Ā£1.5 billion in 2015.1 Reading about high profile cyber breaches in the news is becoming the norm. Recent examples of victims of high-profile attacks include Ashley Madison and TalkTalk. The effects of these breaches are clear ā a loss of customer data or disruption to service coupled with reputational damage. Often the reputational effects are the most damaging: months after the attack on TalkTalk, its stock market value was still almost Ā£1 billion less than on the day the attack was announced.2
As a result, cybersecurity is becoming a priority for many businesses. Some small businesses are going so far as to stock up on digital currencies to pay the ransoms of hackers in potential future cyber attacks.3 However, despite the disruption and huge cost a cyber attack can cause to a business, many businesses are not taking the issue seriously enough.
In a recent survey undertaken for the Government, 69% of businesses said that cybersecurity was a high priority for senior managers. However, only 51% of companies have taken recommended actions to identify cyber risk. Only 29% have formal written cybersecurity policies. Only 10% have a formal incident management plan. This lack of vigilance seems entirely out of step with the fact that 65% of businesses surveyed had detected a cybersecurity breach or attack in the last year.4 There are myriad statistics in a vast number of surveys relating to cybersecurity. Without listing them all, the pattern that emerges is that firms, on the whole, are not taking cybersecurity seriously enough.5
There is a schism between the reality of cybersecurity risk and the number of businesses engaging sufficiently seriously with the threat.
TYPES OF THREAT
There are manifest types of cyber-threats of which businesses should be wary. Some businesses are more at risk than others from certain types of threat.
FRAUD
The vast majority of cyber incidents fall into the category of fraudulent attacks. These include identity theft, attempts at extortion, and other crimes which specifically target individuals or employees.6 Fraudulent attacks often take the form of phishing emails containing ransomware which are sent to employees. A high-ranking employee or executive could receive an email saying that a significant amount of sensitive data has been stolen and will be released publicly on a certain date unless a large sum is paid. The deadline will rarely allow sufficient time for the investigation of such an incident.7 Cyber-attackers in these cases are most often motivated by money.
THEFT OF PAYMENT CARD DATA
As we all know, criminals will frequently target locations where they can obtain the most money quickly. Cyber-criminals are no different and arguably, theft of payment card data was the forerunner to what we know as cyber crime today. Criminal gangs are able to launch cyber attacks on businesses which accept or process card payments; for example, by hacking into till systems and leaving software capable of sitting undetected in a system whilst copying card details before that data is extracted to the criminal. Such data is then sold through web-sites to others who are capable of creating plastic cards which are then used to make expensive purchases in countries where PIN numbers are not required.
Card data compromise remains one of the largest areas of potential liability for any party in the payment chain and accordingly careful steps must be taken to guard against losses. We identify below some of the key issues arising in this area.
MERCHANT ACQUIRER OBLIGATIONS
Visa, MasterCard and other card schemes impose upon their merchant acquirer (payment processor) the obligation of ensuring payment card data security of merchants (entities accepting payment cards). The card schemes also administer, as part of their membership rules, methods of fining members who do not comply with data security obligations, and ensuring card issuers are compensated for losses arising from card data breaches.
Acquirers will then impose contractual obligations on merchants to ensure card data is kept securely and will require an indemnity for losses which result from a breach. It is important to understand the potential magnitude of such losses.
PCIDSS COMPLIANCE
Irrespective of whether a data compromise has occurred, the card schemes require members to ensure that they and merchants and third parties handling data on their behalf comply with the Payment Card Industry Data Security Standards (āPCIDSSā). This is a set of standardised obligations (often updated) regarding data security that a number of card schemes (Visa and MasterCard included) agree to enforce. Examples of obligations are: (i) installing appropriate firewalls; (ii) ensuring public access to systems is controlled; (iii) changing vendor passwords on software etc. This information can be accessed at www.pcidss.co.uk.
POTENTIAL LIABILITIES
As acquirers will pass liabilities arising from payment card data breaches to merchants, it is important to understand what these losses may be. These will equate to:
ā¢ Significant fines for failing to ensure a merchant is compliant with PCIDSS. It is worth noting that attaining PCIDSS compliance on any particular data does not provide a merchant with protection. Should a data compromise occur in respect of its card data, then there is real risk that a breach of PCIDSS is assumed.
ā¢ Card Schemes mandate immediate and urgent forensic investigation of events and the costs of that forensic investigation will be borne by the merchant. Obligations can include requiring a merchant to identify, contain and mitigate the incident, secure all card data and preserve all information/evidence concerning the event within 24 hours. It must document all actions and not reboot any systems. Card Schemes must be constantly updated. Remediation plans must be implemented in a matter of days.
ā¢ Card Schemes maintain a process which means they will manage the recovery of losses which Card Issuing banks have incurred as a result of the payment card data breach. These amount to fraud losses that cardholders suffer whilst criminals utilise their card numbers to make purchases.
ā¢ Other losses which card schemes enable recovery of are the additional costs which card issuers have suffered for:
ā¢ Reissuing potentially compromised cards; and
ā¢ Heightened monitoring of non-reissued cards.
Losses can run into millions of pounds and the consequences of an incident do not stop there. Given the significant impact card data loss might have on your business, it is imperative that steps are taken to comply with PCIDSS to ensure the security of systems and those with whom you contract to receive services. If in doubt engage with the rules and your payment processor, who will be able to guide you as needed.
TERMINATION
A retailer can easily find their merchant services agreement terminated due to breach of contract. The Card Schemes operate systems which can make obtaining another facility difficult when you have been terminated for breach of contract and accordingly, suffering a payment card data breach can spell the end of a business.
DISRUPTION
Disruptive cyber attacks are intended to severely disrupt a businessā operations. These can be instigated by certain agencies, governments, or even sophisticated terrorist groups, using the attacks as a way to make their presence felt.8 For example, the North Korean governmentās disruptive cyber attack on Sony Pictures in relation to the film The Dictator intended to express its distaste for the depiction of Kim Jong-Un. Such attacks are also undertaken by political groups; for example, part of the Anonymous āhacktivistā network took down the London Stock Exchangeās website for more than two hours as part of its campaign against the worldās banks and financial institutions.9 Disruptive attacks may also be undertaken for commercial gain.
SYST...
Table of contents
- Cover
- Title
- Copyright
- Contents List
- Foreword
- Contributors Notes
- Introduction
- Part One: Cybersecurity ā No Longer an Option
- Part Two: International Action in Cybersecurity
- Part Three: Preparation for your Business
- Part Four: Prevention
- Part Five: Protection and Response
- Appendix: Contributors contacts