Managing Risk in the Digital Age - Risk Group Argentina RISK IN THE DIGITAL AGE ... amount of...
-
Upload
vuongtuyen -
Category
Documents
-
view
219 -
download
3
Transcript of Managing Risk in the Digital Age - Risk Group Argentina RISK IN THE DIGITAL AGE ... amount of...
P a g e | 2
Contents
Threat of Attack 4
Cyber crime 7
The cost of cyber threat 10
Digital Vulnerability of Financial Systems 12
Reputational risks in the digital age 15
Best Practice 17
Conclusion 18
P a g e | 4
Threat Of Attack
Advances in telecommunications and
information technology have made a
significant contribution to the
development of the global economy and
productivity of most industries. Digital
technologies in the workplace have
delivered numerous benefits, including
cost efficiency, rapid information sharing,
multi-tasking and personal performance.
These compelling business advantages,
coupled with falling hardware and
software prices, led to the widespread
adoption of IT across the business
landscape. This has however, made many
organisations overly-reliant on their digital
infrastructures, which in turn has created
new vulnerabilities and increased
operational risks. Many companies are
now susceptible to the threat of attack.
According to the UK‟s recent Cyber
Security Research Institute (CSRI) survey
conducted on 200 IT executives, fewer
than a half of respondents stated that
their systems had never been a subject to
an intrusion or a cyber attack in 2010. In
2011 the number had increased to 80
percent, with nearly two-thirds admitting
they had found evidence of malware each
month1.
As corporations and public bodies begin
to understand the nature of these threats,
there is a general agreement that any plan
1 Financial Times – Electricity grid vulnerable to
cyber attacks, April 19, 2011
to counter these challenges should be
based on an understanding of the
following issues:
Cyber security - the body of technologies,
processes and practices designed to
protect networks, computers,
programmes and data from attack
Digital data protection – activity to all
electronic data is safe from unauthorised
access
Online durability of financial processes –
an IT system‟s resistance to cyber attacks
Sustainability of reputation in the digital
environment – cyber attacks can damage
corporate reputation, decrease business
productivity and influence consumer
confidence
Governments are acting unilaterally to
address the issue and also recognise that
the global nature of the threat will require
a combined international effort if it is to
be addressed effectively.
In October 2010 the UK Government
published the National Security Strategy,
which placed attacks in cyber space
among the top threats to Britain -
together with international terrorism,
military crises or natural hazards such as
the „flu pandemic2.
As a response to this greater level of risk,
2 The Daily Telegraph – Terrorism and cyber
attacks: the risks that Britain faces, October 18,
2010
P a g e | 5
the UK Government is preparing a
National Cyber Security Programme
(NCSP), planned to be implemented over
the next four years. Costing £650m, the
scheme is set to protect the UK‟s critical
infrastructure, Government networks and
services3.
While all business sectors are at risk from
cyber crime or malicious attacks on their
digital business infrastructure, certain
industries remain more at risk than
others. A study conducted by the UK
Government in February 2011 suggests
that so far pharmaceutical,
biotechnological, electronic, chemical and
IT sectors have been affected the most4.
The same study suggests that British
economy is losing £27bn a year from
cyber crime with £21bn lost by UK
business5.
All indicators suggest that the rate of
cyber crime will rise in the immediate
future and that the criminals will become
more sophisticated in the methods they
adopt. In this context, ignoring the threat
or failing to understand the nature of the
risk is no longer an option for any
business or public entity.
3 Evening Standard – Privatised utility
companies exposed to cyber attacks, April 19,
2011
4 The Times – Cyber crime costing UK £27bn
a year, February 18, 2011
5 Financial Times – Wake up to £17bn cyber
crime, business told, February 17, 2011
P a g e | 7
Cyber Crime
“Cyber crime became a widespread and
profitable business, with hundreds of
thousands of individuals involved”, notes
Eugene Kaspersky, the founder and CEO
of Kaspersky Lab, who predicts that by
2020, cyber crime will divide into two
types of activities. The first type will be
focused on business with commercial
espionage, database theft and online
smears intended to undermine corporate
reputation. The second type will target
areas of everyday life such as transport
and telecommunication networks.
Hacking into such systems and stealing
information, making free use of them and
the removal or change of customers‟
activity data will be the main focus of the
new generation of hackers6.
One of the most notorious pieces of
malware to emerge in recent years is the
Stuxnet worm which attacked five
industrial facilities in Iran over 10 months
between June 2009 and April 2010.
Stuxnet is targeted at industrial control
devices and is able to destroy physical
property.
According to two separate reports
published by the US Center of
International and Strategic Studies (CISS)
and the UK‟s Cyber Security Research
Institute (CSRI), the equipment used to
control critical national infrastructures
6 Kaspersky Lab - What will cyber crime look like in 2020?
http://www.kaspersky.co.uk/news?id=207576285
(CNI) in UK and USA is not advanced
enough to be able to deal with modern
cyber threats. Lagging behind the IT world
(some 10-15 years behind modern IT
systems) and connected to the Internet,
both CNI systems remain a very easy
target.
Although the UK Government has already
allocated another £650m to manage cyber
issues as well as improve CNI, one of the
experts quoted in the CSRI report,
clarifies: “The pot of money that the
Government has allocated to this is not
big enough to protect its own critical
infrastructure let alone research the
national critical national infrastructure to
find out what needs to be done.” As
regards Government security reviews, the
UK was placed at the bottom, with the
lowest level of cyber security checks7,
while China and Japan received one of the
highest scores for technology security
reviews8.
7 Evening Standard – Privatised utility companies exposed
to cyber attacks, April 19, 2011
8 Financial Times – Electricity grid vulnerable to cyber
attacks, April 19, 2011
P a g e | 8
Fact: Only 47% of British
people use passwords on
their mobile devices
A botnet is another class of malware
which can infect mobile and Internet-
enabled devices. Mobile devices such as
smartphones allow users to send and
receive email, exchange files and access
corporate information while on the move.
Such devices have been a boost to
personal productivity, but when this
access to
data beyond
the safety of
a corporate
firewall is
combined with users‟ unawareness of
potential security risks, mobile devices
become vulnerable to security breaches.
Only 47 percent of UK mobile Internet
users set a password on their devices to
prevent unauthorised access in case they
are stolen9.
As the adoption rate for smartphones
grows, so does the interest from cyber
criminals. According to a recent report by
McAfee, the IT security group, the
amount of malicious software in
circulation designed specifically to target
mobile devices rose by 46 percent in
201010. In early 2011, Kaspersky Lab
reported that it had identified 154
different mobile malware families with
1,046 different strains and variants11. The
9 Kaspersky Lab - European Users Mobile Behaviour and
Awareness of Mobile Threats
http://www.kaspersky.co.uk/news?id=207576289
10 Financial Times – Threat of mobile cyber crime on the
increase, February 8, 2011
11 Kaspersky Lab - Sensitive corporate information is
growth of this type of threat and the
inherent vulnerability of mobile devices
means that risk managers face serious
problems of corporate data protection
and cyber risk mitigation.
One of the most serious threats large
companies are facing, particularly in the
financial services
sector, are cyber
criminals illegally
accessing client
databases that
contain financial
details, personal information such as
addresses, social security numbers and
even medical data. All these data types are
considered highly valuable on the black
market. Some cyber thieves use malware
to log every key stroke (keylogging), some
capture screenshots when victims use
banking websites, others download
malicious codes, or let hackers remotely
access desktop operating system while
users enter online banking webpages or
corporate payment applications. Both
approaches result in confidential
information, such as passwords and PINs,
being sent back to the criminal network.
Armed with this information, the cyber
criminal is then able to steal money or
sensitive corporate data.
increasingly at risk from mobile malware
http://www.kaspersky.co.uk/news?id=207576290
P a g e | 10
The Cost Of Cyber Threat
Digital information is easy to store,
communicate and also to leak12.
Intellectual property theft is the most
costly cyber threat in the UK. It accounts
for some £9.2bn of losses annually13.
Cyber espionage and online data theft is a
significant concern for risk managers.
“Industrial cyber espionage is one of the
biggest problems faced by many
countries”, says Melissa Hathaway, former
US intelligence official and the leader of a
digital security review set up by President
Barack Obama14.
In December 2009 malware called Aurora
infected dozens of large companies
around the globe, including Google and
Adobe. According to Google the attack,
which originated from China, allowed
hackers to steal intellectual property such
as the mail accounts of human rights
activists.
Ray Barlow, who leads Arthur J.
Gallagher‟s Cyber Risk Unit, believes that
one of the critical risks facing the UK is
cyber attack against large utility
12 The Economist - The leaky corporation, February 24,
2011
http://www.economist.com/node/18226961?story_id=1822
6961&fsrc=rss
13 The Wall Street Journal – Cyber crime Costs Mount in
U.K., February 17, 2011
http://online.wsj.com/article/SB1000142405274870356160
4576150353058208060.html?mod=googlenews_wsj
14 Financial Times – Industrial espionage: Data out of the
door, February 1, 2011
companies; a Stuxnet type virus for
example, could cripple the NHS, or cause
a Fukushima – style meltdown in a nuclear
reactor. “An electronic bomb is as
effective as an explosive bomb and more
readily deployable”, notes Barlow.
"The recent PlayStation data
theft is not just a nightmare for
Sony, but also worrying news
for the millions of people who
use the network. Once again
users will have their confidence
shaken by a major company
losing their personal
information.”
Ray Barlow, Gallagher London
P a g e | 12
Digital Vulnerability Of Financial Systems
General Sir David Richards, head of UK
Armed Forces, observes “The UK‟s trade
is now so dominated by financial services
that nowadays the Internet seems to be as
vital as shipping routes were a century
ago”15. Businesses rely heavily on the
Internet when managing their payments
and other financial activities. In the
wholesale capital markets, the speed of
trading, clearing and settlement depends
on online systems. Small time delays
unnoticed by the human eye can lead to
huge losses for the company. For this
reason, businesses operate on automated
or algorithmic trading within set
parameters in order to react immediately
to the rapid changes within target
markets.
Online transactions accounted for over
30 percent of all trades executed in crude
oil in the fourth quarter of 2010, and a
similar proportion of completed trades in
energy and agricultural contracts such as
corn16. While this level of automation
brings speed of execution, it also means
that companies can suffer from cyber
attacks where intrusion into the trading
platform can corrupt the algorithms and
lead to incorrect orders being placed and
further losses being generated.
15 The Times – UK vulnerable to cyber attack, warns
defence chief, January 31, 2011
16 Commodities Now - Algos transform the ecology of
commodity markets, March 7, 2011
http://www.commodities-now.com/reports/general/5296-
algos-transform-the-ecology-of-commodity-markets.html
Case Study: London Stock Exchange
(LSE)
At the beginning of 2011, the LSE faced a
number of cyber-related problems. On
February 25th, the LSE suffered from
technical issues which caused trading to
overrun by 43 seconds, with incorrectly
displayed prices. This was related to
“gateways” that connect investors to the
main trading system where the FIX
Protocol failed to display correctly on
broker screens17. As a result, all orders
were put into an auction and trading
resumed with four hours delay. According
to Reuters, the LSE‟s trading volume on
the day of glitch was down 37 percent to
£3.3bn at the close, while the daily total
for all UK platforms was a third lower at
£6bn. The event was also negatively
perceived on other platforms. Chi-X
Europe's trading was down 20 percent at
€1.6bn and Bats was down 21 percent on
the daily average for the previous five
days, at €600m at the close of normal
trading. Only three days later, the LSE
faced another problem - users of various
web browsers were warned that the
organisation‟s website contained
malware18. The LSE explained the
17 The Times - Glitch halts LSE trading as Dubai woes
trigger sell-off, November 27, 2009
http://business.timesonline.co.uk/tol/business/industry_sec
tors/banking_and_finance/article6934205.ece
18 City AM - Virus hits LSE website after trading glitch,
February 28, 2011 http://www.cityam.com/news-and-
analysis/virus-hits-lse-website-after-trading-glitch
P a g e | 13
problem as being a third party website
advert. The advert contained a virus,
which activated itself if stock exchange
users clicked on it and followed the link.
These examples show that the
unpredictable nature of the digital
environment can be a threat not only to a
particular business but also to the whole
financial system. But as Ray Barlow notes,
“The enemy is often within an
organisation itself. One of the biggest
concerns for Risk Managers is the threat
of the disaffected employee, who has
access to passwords and procedures, and
is often able to by-pass rudimentary
checks and balances.”
P a g e | 15
Reputational Risks In The Digital Age
The digital age has brought not only
technical risks to companies but also
created additional threats for business
reputation. The popularity of social
networks (Facebook has more than 500m
users; Twitter more than 200m) and
simplicity of sharing information via
wireless laptops and portable devices has
become a risk factor for many companies.
The uncontrollable and unpredictable
nature of digital communications can
significantly damage the image of an
organisation and create unwarranted
attention.
The example of BP‟s oil spill in the Gulf of
Mexico in 2010 demonstrated how
powerful online engagement can be.
According to media analyst BrandsEye, in
just one day the environmental disaster
caused by BP was mentioned online
12,426 times in the English language
alone.19 “Interestingly, while the attack on
BP is predominately being driven through
Twitter, with 55 percent of all mentions
originating from the social networking
site, it is also taking place elsewhere on
the web and has been a popular topic on
thousands of blogs. This indicates that the
issue is far bigger than the usual consumer
complaints posted on Twitter”, noted
Greg Schneider, reputation analyst for
BrandsEye. Additionally, a survey
conducted by East Mailing Research
19 Bizcommunity.com - BP fiasco lessons: surviving an
online reputation crisis, July 7, 2010 http://www.biz-
community.com/Article/196/18/49744.html
(EMR) showed that negative publicity had
a direct impact on BP‟s profits within the
first three months, with the company's
share price losing over half of its value
between April and June in 2010 by
dropping from 655.40p to 319.36p20.
20 EMR - BP‟s reputation following the Deepwater
Horizon oil spill, July 21 2010
http://www.emrrecruitment.co.uk/bp-s-reputation-
following-the-deepwater-horizon-oil-spill-21-july-2010
P a g e | 17
Best Practice
Professional advice
Risk managers should consider
professional advice at all stages of
business planning and during a project‟s
implementation. Support from
experienced professionals and companies
can significantly reduce the risk of cyber
threats as well as prepare adequate
responses.
Protection
Companies should apply all necessary
technological and legal measures to
mitigate cyber risks. It can be the
integration of an early warning system,
better intelligence on what attacks could
happen, more reliable protection with
updated software, the ability to predict
what potential threats could look like and
the ability to clean up after the attack21.
To avoid the consequences of cyber
espionage, businesses should be equipped
with patents and licenses for all inventions
and unique developments they possess.
Additionally, Business Interruption cover
and the use of shadow servers should be
investigated.
Trusted computing
Leading commentator David Lacey
predicts in his IT Security Blog that 2011
will be revolutionary for information
security and risk management. The
21 BBC - The world of cyber threats, February 16, 2011
http://www.bbc.co.uk/blogs/thereporters/maggieshiels/20
11/02/the_next_uber_cyber_threat.html
revolution is likely to last for the next ten
years with more security technologies
emerging22. Lacey considers trusted
computing technology, as one of the top
innovations providing low cost hardware
security. Trusted Performance Model
chips (TPM chips) are now present in
hundreds of millions of laptops and
servers worldwide23. TPM chips are
produced by The Trusted Computing
Group (TCG), a not-for-profit industry
standards organisation concentrating on
developing, defining and promoting open
standards for trusted computing24. Many
laptops are being shipped with self-
encrypting drives, however not all
customers seem to be aware of that.
Lacey is convinced that trusted computing
is going to revolutionise the way many
people think about the IT security25.
22 Computerweekly.com – David Lacey‟s IT Security Blog
– Security forecasts for 2011, January 2, 2011
23 Computerweekly.com – David Lacey‟s IT Security Blog
– Hardware Security hits the road, August 25, 2010
24 The Trusted Computing Group (TCG),
http://www.trustedcomputinggroup.org/about_tcg
25 Computerweekly.com – David Lacey‟s IT Security Blog
– Let‟s ditch best practices, January 12, 2011
P a g e | 18
Conclusion
According to the report Managing Digital Risk issued by Lloyd‟s of London in 2010, risk
managers should become far more involved in their company‟s IT governance and
information security, by setting up working groups, that should include all important
stakeholders such as technology experts, legal representatives and business advisors.
Multiple partnerships can ensure better security and more tailored risk response26.
The consequences of cyber attacks can be disastrous to business - damaging reputation,
decreasing business productivity and denting consumer confidence. Many current insurance
policies should be reviewed, as most of them will not cover digital risk and focus only on
tangible hazards such as fire or equipment damage. “It is always worth checking what types
of digital risk covers are available on the market and keeping such protections up to date,”
advises Ray Barlow. “All organisations should develop their risk management strategies
constantly, in response to emerging cyber threats – and in an increasingly volatile world, a
secure IT infrastructure and appropriate risk management are the first lines of defence.”
For further information, please contact [email protected]
26 Lloyd‟s 360 Risk Insight – Managing Digital Risk, Trends, issues and implications for business (2010)
http://www.lloyds.com/News-and-Insight/360-Risk-Insight
Managing risk in the digital ageArthur J. Gallagher International
The information set out in this article has been prepared for information purposes only by Arthur J. Gallagher (UK) Limited and has not been independently verified and does not purport to be comprehensive. The information is intended solely to convey general information about risks in a digital age. The content of the information is not intended to constitute, and should not be relied upon as, legal or professional advice. No representation or warranty, express or implied, is or will be made and no responsibility or liability is or will be accepted by Arthur J. Gallagher (UK) Limited or by any of its respective officers, employees or agents in relation to the accuracy, completeness or up to date nature of the information set out in this article.The information is not intended to replace any and all analyses and/or investigations that a third party might consider necessary in managing its risks. To the extent the information expresses an opinion, the reader acknowledges that any such opinion is an expression of Arthur J. Gallagher (UK) Limited only, and is not a statement of fact. The reader is advised to review the information in conjunction with an appropriate qualified person(s) before any use is made of the information.
Copyright © Arthur J. Gallagher (UK) Limited, 2011