The cyber threat picture becomes more challenging with attacks against both public and private sectors organization. Cyber threats are continually evolving, becoming more sophisticated and harder to both prevent and detect. Your organization has possibly experienced some type of a cyber incident, whether it was a virus infected computer, mail servers bombarded by phishing and spam email or even some variant of malware or ransomware. The typical symptoms are IT technicians pacing up and down the company trying to contain the recent infestation or instructions from your system administrators to update your antivirus and run a complete scan on your computer. With the severity and frequency of these threats increasing, the senior management of all companies need to make cyber security also referred to as information security as a top priority for their business survival.
First off cyber security must be viewed by senior management as a business continuity issue and by extension a major risk management concern. Cybersecurity doesn’t just relate to the technical configuration of systems but also promotes positive behavioral change within an organization as it has the potential to secure the future of a business. In addition, if we take a look at the Top 10 issues that affect the survivability of any business four of these issues are directly related to IT Risk because IT has become a core business function and enabler. This necessitates a proactive plan to address cyber and IT risk in all operations. Cyber security is a risk management issue, not an IT matter. As a result, cyber threat expertise isn’t a prerequisite for corporate board members, but corporate boards and senior management should have access to expertise who can define how cyber affects their companies overall operations.
Cybercrime has become the primary motivation behind cyber-attacks in the Caribbean. Therefore, from a risk management perspective, do you know where your business stands in terms of its cybersecurity preparedness? Do you know the impact of a cyber-attack on your organization? Take for example an account receivable or point-of-sales system being offline due to a targeted attack. How much will sales revenue you lose or not be able to collect for each hour or day your systems are offline? Do you know if your organization might be leaving doors wide open for cyber criminals to come right in?
Now if you are unsure of your company’s level of preparedness your organization is likely in a higher risk area when it comes to potential cyber incidences. If your organization lacks formally documented policies and procedures regarding security the level of risk and the potential for exploitation in the form of a cyber breach is very high. As a best practice, we recommend that cyber security is added as a key area of concern in all organization whether private or public sector. Special attention should be placed on identifying the areas of risk and the remediation that can be applied to minimize a potential breach.
The management of operational information security risks, that is, the ability of your organization to function unimpeded or with minimal disruption because of a cyber incident is possible. Information security risk awareness and mitigation does contribute to a safer work environment, removes obstacles to operational functionality but necessitates a logical step-by-step easy to follow the process that will enable the organization to continue its business. To achieve this level of preparedness all organizations should carry out risk assessments to infrastructure and critical data, and develop mitigation or remediation plans. Finding your weak spots and fixing them before you have a meltdown is critical. Business reputations are difficult to build up and yet can so easily be tarnished but a proactive approach many times outside of the glare of your customers and the news media makes the difference.
So, if we look at organizations who have been hit by the latest and most vicious viruses and malware attacks its always the companies who conduct a risk assessment, remediate and train their staff; that tend to experience minimal impact. The recent ‘meltdown’ of British Airways computers in May 2017 is evidence of the importance of a good risk assessment program. Whether you believe the cause of the outage was an ‘electrical surge’ or not, the impact on the airline was severe and costly. In this age of sophisticated surge protection options and other advances, this solution seems obvious and well within the airline’s financial reach. Was management aware of the risk? Was management aware of the potential impact? A comprehensive information systems risk analysis would certainly have highlighted these issues, the remediation necessary, the reputational loss, and financial impact.
By Deon Olton
Mr. Deon Olton is a UWI graduate and Certified IT Security practitioner. A well-known expert in cyber security, having assisted multiple organizations to improve their security posture, written extensive articles for popular publications, written annual cyber security predictions for the region and appeared as a guest on tv and radio interviews. Mr. Olton’s experience in telecoms, ICT and Cyber Security has allowed him to perform multiple roles in IT Risk Assessment, Security Awareness Training and long-term strategic IT planning. With this depth of experience and passion, Mr. Olton has developed proactive plans to address the growing Cyber Security threats to the Caribbean region’s economies. As the Project Lead for the Caribbean’s first and only indigenous Cybersecurity public awareness Campaign, with a mission of “Keeping Caribbean Citizens Safe Online”, he is responsible for the online web portal, creating public service messages, developing age-appropriate presentations for parents, schools and the elderly. Additional Mr. Olton has spearheaded community outreach projects to increase knowledge of cyber security within schools and communities all across the region.