The topics of cyber risk and cyber security have been around for a while, but wrapping our heads around these topics seems to be something with which many of us public risk management professionals struggle. As chair of PRIMA’s External Affairs Committee, cyber risks and security are topics that we have been discussing for more than a year, and still strive to define.
While the following may not provide answers to the bigger questions regarding cyber security, hopefully, it will help us to wrap our collective heads around the potential exposures. First, let’s look at some definitions.
- Cyber Risk – any risk of financial loss, disruption, or damage to the reputation of an organization from some sort of failure of its information technology system. (1)
- Cyber Security – protection of computers, networks, programs and data from unintended or unauthorized access, change, or destruction.
Next, what are some of the risks to our cyber security? Again, the list is evolving, but below are some of the more common exposures that may pose a threat.
- Loss of hardware through theft or accidental loss – think of this as the physical loss of any device with sensitive information, including laptops, tablets, cell phones, and hard drives.
- Misuse of data by employees or other insiders – could be anyone with access to data who might use or exploit private information for personal gain.
- Web application attacks – a category which may include defacing a website, additions of spam or a malicious code, theft of account and database information, and access to classified content.
- Phishing – any activity that attempts to gain sensitive information by posing as a legitimate site. Phishing efforts may ask for specific information or may contain links to malicious software (which is often referred to as pharming).
- Dedicated Denial of Service (DDOS) attacks – an activity where multiple systems, sometimes hundreds or thousands, target a website or system causing a slowing or complete shutdown of the website or system.
- Cyber extortion – any kind of attack where a ransom is demanded before the assault is disengaged.
- Point-of-sale (POS) attacks – an effort to gain credit card data through data skimming (installation of hardware to a point of sale terminal), malware (exploits the gap(s) in security while credit card data is being processed), and even the cloning of cards or their data.
- Payment card skimming – a form of POS attack method where a small device is installed on a credit card reader to scan and store data from the magnetic strip.
- Viruses – programs from other infected computers, data medium (CD, DVD, etc.) or through a network which replicates itself and can infect other computers or device in a network.
- Worms – programs which copy themselves across a network or computer program
Recognizing and identifying the various types of cyber risks that threaten the security of our entities is just the beginning of the process. From here, the risk management process of assessment, development and evaluation of a plan, implementation of risk management actions, and monitoring the results is crucial.