Issue link: https://maltatoday.uberflip.com/i/832512
43 maltatoday, SUNDAY, 4 JUNE 2017 Information Technology Cyber space has become an indispensable asset in today's business interactions, fos- tering competitive opportunities and lead- ing to significant economic growth in the process. Organisations of all sizes have em- braced the use of the Internet in their vari- ous business functions, a trend that is likely to grow further with the increased applica- bility of ICT concepts such as mobile, cloud computing and smart technology. However, cyber space does not come with- out its risks. These may vary – they could include risks of financial loss, business dis- ruptions or damage to reputation of organi- sations from some form of failures in cyber- space such as in ICT systems. Such failures could be a result of deliberate and unau- thorised breaches of security to gain access to information for a variety of malicious in- tents; unintentional or accidental breaches of security which nonetheless constitute exposures that need to be addressed; and operational ICT risks due to poor systems in- tegrity or other factors. Unfortunately, cyber security attacks have increased in frequency and intensity, and affect virtually all industries and govern- ments for purposes among others, for easy financial gains. SMEs are no exception. Law enforcement has no easy feat, given that cyberattacks may originate from other countries and that cyber attackers in many cases, may be able to hide their tracks. In a benchmark study on the cost of cy- bercrime among US companies in 2011, the Ponemon Institute estimated that 'the average time to resolve a cyberattack is 18 days with an average cost to participating organisations of US $ 415,748 over this 18 day period'. This means that the average time for an attacker to be discovered on the network and extricated is on average often more than 18 days. Worse still, in their Spe- cial Report: Cyber Risk Report 2017, FireEye and Marsh and McLennan (2016) report that 'companies in the European Union take three times longer than the global average to detect a cyber intrusion', the average in the latter cited as being that of 146 days! According to Zurich Insurance Group's fourth annual global SME survey, the risks posed by cybercrime are a fast-growing concern for SMEs. It reports that 'In Europe, the potential harm to reputation as a conse- quence of a cyber-attack as the main worry has risen to third place, up from sixth in 2015. 16% of European SMEs identified this as a concern. Their leading concerns are theft of customer data and reputation dam- age (26% and 16% respectively) in line with the global trend. In addition, 17% of SMEs in Europe are also worried about business disruption that could result from a cyber- attack'. On the other hand, in its Continental Eu- ropean Cyber risk Survey: 2016 Report, Marsh contends that although continental European companies have increased their awareness and proactivity with respect to addressing cyber threats, there is still much work to be done in terms of 'awareness and ownership of cyber risk'. Therefore, SMEs primarily need to take im- mediate action to secure their cyber space from attacks or continue to accept the risk of intrusion and theft of their precious cyber assets. Additionally, of equal importance is the need to realise that cyber risks cannot simply be relegated to the ICT function. Fur- thermore, strategic skills are equally neces- sary especially in SMEs that cannot afford narrow specialisation of their resources. As can be surmised, in many cases, risks per- taining to the control environment and to cultural and behavioural issues that need to be addressed, in addition to the technical aspects. Hence, an organisation's top most management, along the active engagement of all the internal stakeholders, need to un- derstand and manage cyber risk, do more to identify cyber loss scenarios, understand their impact upon their business and adopt the relevant measures accordingly. Cyber insurance is definitely an important consideration by SMEs. However, it does not cover everything. Organisations hit by a cyber attack may incur costs such as those related to reputational damage, lower productivity due to lower staff morale and performance, loss of customers and stock devaluation due to lower consumer and investor confidence and devaluation of in- tellectual property. The related cumulative costs of such factors may far exceed the in- surable loss. Hence there is a need for SMEs to implement a cyber risk management programme to ad- dress the impact of cyber related losses. Such a programme would, as one of its ini- tial steps, entail a risk assessment exercise that involves an identification of all assets which an organisation deems as requiring protection in cyber space. The evaluation for such degree of protection may be ena- bled by security classification based upon factors such as an asset's critical value to an organisation, related stakeholder experi- ences, related governing laws and regula- tions and other aspects of relevance to the firm's internal and external context. A corresponding identification of threats and vulnerabilities to each of the identified assets needs to be carried out. Finally, the corresponding risks would need to be as- sessed, which from a cyber security point of view, would include the expected impact – in terms of extent and severity - of an at- tack upon the asset involved as well as the likelihood for it to occur. However, it also needs to be pointed out that risks cannot be fully identified if the organisation's business objectives and strategies are not clear; as ultimately risks are uncertainties that effect the attainment of such strategic direction. Hence the risk assessment exercise would need to be pre- ceded by the establishment of the internal as well as the external context of the or- ganisation as a means to define the scope of the whole programme and set the criteria against which the risks are assessed. The risk assessment exercise is followed by a risk management process whereby the cor- responding acceptable level of protection for each of the assessed risks is identified, selected and implemented. Such protection includes security countermeasures which do not just include technical ones such as antivirus and firewall installation and main- tenance, patch and account management, but also business continuity plans, intru- sion detection measures, employee security awareness as well as internal security poli- cies, among others. The Risk Management programme would also entail periodic review and fine tuning to ensure its effectiveness and sustainabil- ity on a long-term basis, within the context of an everchanging cyber threat landscape. Furthermore, in today's competitive and dynamic business environment, organisa- tions, including SMEs need to adapt accord- ingly to survive and hence, corresponding developments within the organisations need to be reflected accordingly within the risk management framework to maintain ef- fective cyber resilience. Ultimately, even if, in an increasingly dy- namic and complex cyber risk scenario it is impossible to completely eradicate or plan for all possible forms of threats arising, cy- ber resilience is necessary and it needs to be led at a strategic management level. Hence SMEs too, need to adopt a strategic and comprehensive cyber risk management stance, as the cost of doing nothing at all is very much likely to far outweigh the related effort and investment needed. R eferences: ENISA ad hoc working group on risk assessment and risk management (2006), Risk Assessment and Risk Management Methods: Information Packages for SMEs, Deliverable 2, Final Version, Version 1.0, 30/3/20016 FireEye|Marsh and McLennan (2017), 2017 Cy- ber Threats: A Perfect storm about to hit Eu- rope?, Special Report: Cyber Risk Report Han, D. (2012), SME Cybersecurity and the Three Little Pigs, Feature, ISACA Journal , 6,2012 www.isaca.org Ivanovs, I. and Deruma,S. (2015) Revising Cy- bersecurity Skills for Organisations, ISACA Jour- nal, 6,2015 www.isaca.org Marsh (2016), Continental European Cyber Risk Survey:2016 Report, Marsh and McLennan Companies, October 2016 Ponemon Institute (2012), 2012 Cost of Cyber Crime Study: United States, October 2012 The Institute of Risk Management (2014), Cyber Risk Executive Summary Zurich Insurance Group (2016), SME's cyber risk awareness is on the rise, News Release, Zurich, November 23, 2016 DR KEITH CILIA DEBONO MITA Consultant on Cyber Strategy Ongoing identification, assessment and treatment of cyber security risks in SMEs