CHAPTER 5

The Cyber Risk

Many people in the IT industry and management consultants have often commented on the poor management of the cyber risk as compared with other risks in business. A survey by Bay Dynamics presented at an RSA conference in San Francisco set out a number of factors.

• Experts present the information to managers in cyberspeak and nobody likes to admit to not understanding.
• Experts fail to give quantitative information, so it is not ­possible to make rational judgments balancing the risk with the cost of reducing it.
• Experts offer solutions that are not affordable or practical.

Does any of this sound familiar? I hope the following chapters will help.

Please note that, because I have included data protection, many of the issues are relevant to the management of data held on paper as well as in electronic systems.

Are These Myths About Data Protection Putting Your Business at Risk?

Whenever I speak to people about risk management these days, data ­protection is always one of the risks I mention, and I am increasingly concerned at the number of times one or more of five popular myths pop up. These are leading a lot of otherwise good managers to fail to take some of the necessary steps to managing this risk so as to keep their businesses safe.

Myth Number 1: It Is an IT Matter

This is usually followed by an invitation to speak to their IT manager, whether within their business or an outside contractor. Here are five reasons why it is wrong:

1. The human element. It is important to have the right software to protect your data from hackers, viruses, and malware, but the UK Information Commissioner’s Office has reported that in the more than 60 percent of incidents reported to them do not involve any IT failure. Most breaches are caused by human error. Except for those where error would be the wrong word, as deliberate wrongdoing was a significant element in many cases. This means it is a matter for your HR manager, rather than your IT manager.
2. What IT? It is also important to recognize that most businesses hold or process data on lots of devices other than the traditional mainframe, desktop, or laptop computers. The range of items such as tablets, mobile phones, storage devices, and planners is growing in number and variety. Most are outside the control of the head of IT in the business.
3. How is data processed? Apart from the obvious data processing activities that take place in the course of business, a lot of data is passed around in various ways, intentionally or inadvertently, every day. Some will be communicated verbally, either face to face or by phone. Some will be on paper. The paperless office is not as common as we like to think, if we include everything coming off the printer and the handwritten notes we all use.
4. Tweet tweet! You may have noticed how often celebrities get into trouble through unwise comments on the social media. We less famous people also need to be careful. We may use such media in the course of our work, but we need to take into account the times we blog or tweet about our work, or just about our day, and find ourselves passing on information or comment that could get us into trouble.
5. Where does the buck stop? In the United Kingdom and European Union Law, and in most other countries, the responsibility for data security rests with the business owner or whoever is in overall charge of the business. That person may have sanctions against employees or others, but the buck stops at the top. The task may be delegated, but the responsibility cannot be.

Myth Number 2: It Is Outsourced!

Nowadays, many businesses outsource a variety of services. IT is one of the most popular, but others include HR, payroll, accounting, maintenance, and even office management. There are many good reasons for doing this, but beware of assuming that this removes all your worries. Here are four of them:

• The law. Although you can outsource many functions, you cannot get away from your legal responsibilities, as mentioned earlier.
• Your image. It is likely to be your reputation that gets damaged if it turns out that a contractor has failed to keep your clients’ or employees’ data safe.
• The cloud of uncertainty. When someone tells you that your data is safe because it is “in the Cloud,” you should ask what that means. It will be on someone’s computer somewhere. How secure is that? Does your contractor know?

Myth Number 3: It Is the Company’s Problem

Many people at all levels believe that any fines and penalties will be incurred by their employer, regardless of who has caused the data breach, or how. Here are three reasons why it is not:

• The law. Individuals at all levels can be prosecuted and fined or even gaoled if it can be established that they had knowingly disregarded policies and procedures put in place by their employers to protect data. Even former employees are not exempt.
• Survival. If your employer suffers a financial loss or a loss of business due to a data breach, the profitability or even viability of the business could be at risk. How safe would your job be?
• Your CV. Your career could suffer if your present or potential future employers believed their data was not safe with you.

Myth Number 4: It Is a Box-Ticking Exercise

There are many things we are all required to do to comply with all kinds of legislation, and in the United Kingdom, the Data Protection Acts ­certainly impose a lot of requirements on everyone. This is also true of the Health and Safety at Work Acts and many others. However, just as I hope you would not want to be the cause of someone’s injury or even death, I hope you would not want a lot of information about your employees or your clients to get into the wrong hands. Apart from the power of the authorities to prosecute you, there are three other good reasons to keep data safe:

• Civil claims. Regardless of the Criminal Law, you could always be sued for negligence or breach of contract if clients believe they have suffered losses as a result of your failure to protect their data.
• Your reputation. Potential clients and employees might not want to know you if they do not trust you with their data.
• The consequences. You do not know what would be the consequences if your data got into the wrong hands. Who would they pass it on to?

Myth Number 5: It Is Only for Big Businesses

It is true that there are different legal requirements in most countries for different sizes and types of business, but there are two things the owners and managers of even the smallest of businesses need to remember:

• The law. Any business, even a sole trader, can be prosecuted or sued for losing a client’s data.
• Trust. Everything said previously about reputation applies to any business.

Whatever size or type of business you are in, you need to forget the myths and take a long hard look at the facts. Then think how you are going to protect your data. Before it is too late.

How Worried Should You Be About Data Breaches?

How Might a Data Breach Affect You?

• Penalties (depending on the law in your country or state)
• Disruption or loss of production
• Loss of morale: suspicion
• Investigation costs
• Remediation
• Staff turnover
• Loss of sales and clients

How Much Would It Cost?

Some companies have found that a data breach costs on average:

• Nearly 100 pounds per record compromised.
• Over two million pounds per company.
• Loss of business accounted for nearly half of the total.

How Can This Be Reduced?

The total cost per item can be reduced by nearly half by:

• strong security,
• a good incident response,
• a business continuity program.

So, even in the event of a breach, your risk management measures can save you a lot of money.

What Are the Main Causes of Data Breaches?

It has been found that the single biggest cause is human error, followed by malicious or criminal activity. IT failures account for less than a quarter of data breaches.

How to Keep Out of Trouble for Data Protection ­
Slip-Ups

Most people who get into trouble in the United Kingdom for breaches of the Data Protection Acts do not set out to do anything wrong. Usually, it is just because they did not think. I know, because I have had a few near misses in my time. I expect the same is true all over the world. Here are seven things for you to think about that will help you keep out of trouble. You might think I am only stating the obvious, and you could be right, but I can assure you that a lot of people would have got themselves into a lot less trouble if they had not overlooked the obvious. You will have to turn to someone more computer literate than me if you want advice on beating the hackers or dealing with other technical aspects of protecting data in IT systems.

1. In your face, and on the phone. If you are like me, you will take a lot of care over everything you write, but get carried away when talking and give away more than you intended, especially when you are enthusiastic about your subject. You probably also let your voice get louder as the conversation goes on, without thinking about who else could be listening. This is even more likely when you are on the phone and it is not a good line. Top tip: be aware!
2. You have got a mail. Nowadays, most of us know to be careful what we put into our e-mails, and to consider whether the recipient is really entitled to the information we are sending. However, one thing that catches us out is the long chain of e-mails, replies, and replies to replies, which we sometimes create. It is easy to forget how much personal or other confidential data was in one of the earlier communications, and therefore to send that with all the rest when forwarding the latest missive to a different recipient. A similar trap awaits us when we c.c or b.c.c. to a lot of people, especially when these are set up as standard contacts. We can forget that not all of them are entitled to see everything in the correspondence. Top tip: always check what you are sending and to whom. Including all the attachments.
3. Screen stars. When working on a computer, it is easy to forget that other people might be able to see the screen, either over your ­shoulder or when you are away from your desk. Top tip: minimize the screen, or close the application whenever there is a danger of its being seen by someone who has no right to the data on it. Alternatively, turn the screen round temporarily, so your visitor cannot see it.
4. Thanks for the memory (stick). I expect you, or someone, will make sure your office is secure when nobody is in. However, a lot of data gets into the wrong hands because people do not take enough care over the security of portable items such as laptops, tablets, memory sticks, and mobile phones. These things can be stolen, or lost. People do leave them lying around. Sometimes we lend them and fail to get them back, and even if we do get them back, could the borrower have got at the data? Encryption is always a good idea. So is physical security. Top tip: remember not only the value of the equipment, but also of the data on it, then you will keep it safe.
5. Cloud-cuckoo land? If you think data is safe because it is in the Cloud, ask yourself what that means. The data must be being held on a computer somewhere. Do you know where, or who has access to it, or how secure it really is? Top tip: do not be vague about the Cloud. Ask!
6. What is in the paper? Even today, most of us still use a lot of paper: printouts, faxes, and notes, as well as heavier items such as reports. Nosey people can gather a lot of information by looking at things left on a remote printer, copier, or fax. Waste-paper bins can also be worth a look. Top tips: if you are expecting something confidential, stand by the fax or printer if it is not right by your desk, and ensure confidential waste is shredded not just binned.
7. Cut it out! Even when you are providing someone with information they are entitled to, it is easy to find yourself including certain items they should not see. This is especially true if you are sending them a long document. Top tip: edit everything you send out and delete any names or addresses the recipient has no right to know.

Finally, do remember that, even if you are handling data that is not covered by legislation, such as details of a client’s costs or sales, it is safer to avoid giving it out unless your client has agreed. I hope you want to not only comply with the law, but also to look after your clients’ interests and your own.

Five Questions About the UK Government’s Cyber Essentials Initiative

What Is Cyber Essentials?

• The Cyber Essentials Scheme was launched by the UK ­Government in June 2014 to make the United Kingdom a safer place to conduct business online.
• It addresses your connection to the Internet via PCs, tablets, and smartphones.
• The scheme is not just for private sector businesses. It also applies to the public sector, charities, and other not-for-profit organizations.

Why Should I Be Concerned? What if I Never Trade in the United Kingdom?

• On October 01, 2014, it became compulsory to be Cyber Essentials Certified if you are to do business with any arm of Central Government and many local authorities and other bodies.
• Businesses often do not know they have been hacked. Hackers work by stealth 24/7.
• This means you need to protect your business: regardless of compliance, it is a good practice, even if you do not do ­business in the United Kingdom.

What Exactly Is Involved?

Cyber Essentials focuses on the following five key controls:

1. Firewalls and Internet gateways,
2. Secure configuration,
3. Access control,
4. Malware protection,
5. Patch management.

How Do I Get Certified?

• Cyber Essentials requires companies to complete a self-assessment questionnaire, signed-off by a senior company representative, and then verified by an external certification body.
• Cyber Essentials Plus provides a more secure level of protection. This assessment involves more rigorous testing, including an internal assessment as well as an external scan, conducted onsite by an approved consultant.

What Are the Benefits?

• It enables your business to gain a Cyber Essentials badge, which demonstrates that you have the necessary security ­controls in place to minimize cybercrime.
• Also, your customers and clients will benefit knowing that their data is being managed responsibly.

For more, go to https://cyberessentials.org

Two Questions to Protect You From Data Breaches and Cyber Attacks

What Do You Do With Old Computers?

A lot of people do not think about this until they have to. When they do, they are more concerned about buying their new computer than about disposing of the old one. Some are kept lying around somewhere in the house or office for ages. Some are thrown in a skip or wheelie-bin. Some are taken to the tip. Many of them probably do not need to be taken out of use. They can be cleaned up and given a new lease of life at a reasonable cost. The thing that slows them down and makes them seem past it is the amount of unwanted and unused software and out-of-date data we all allow to build up on our computers. A good purge can work wonders. The thing to be concerned about is the security of your data. Hackers can usually recover data from discarded computers. Even ones you thought were not working. One option is to physically destroy the machine, for instance, by smashing it up with a hammer. Another way is to find a trustworthy expert to wipe the data and recycle the machine. I know one or two who are properly approved and licensed. They sell the newly secure and reconstituted computers. I was surprised to learn there is a market for them. That way your data is safe and you are contributing to the environment by recycling.

What Do You Do With Unwanted Software?

If you are like me, you will have got a lot of software on your computer you do not use, even some that you never have used. You probably do not know how it all came to be there. Sometimes, you download one thing and a few more slip onto your computer uninvited. Some of this might actually be harmful and needs removing, whilst a lot of it is innocent but a waste of valuable space. It slows down your computer. There is something even worse about it too. When you get a prompt to update it, you probably ignore it, as I used to do. What would be the point? Well, the software companies often include additional security features in their updates, to deal with threats they might not have known about previously. Leaving the old versions of software lying around can leave your computer open to attacks by viruses and other nasties. Either keep it up to date or better still get rid of it.

Cyberscammers Are Getting More Sophisticated

I am indebted to Computing Which magazine for information about a worrying new development.

The latest type of scammers do not send out blanket e-mails addressed impersonally appearing to come from a well-known organization, but one you do not deal with. I do not bank with Barclays and do not have an Apple Computer for instance. The new boys study you by secretly reading your e-mails and send you an e-mail addressed to you by name, appearing to come from a firm you actually do business with. They send you an invoice very similar to a genuine one but with changed bank and contact details asking for a payment, when they know you were going to pay this firm for goods or services they had supplied. They may also write to the creditor, appearing to be you, asking for more time to pay, thus delaying any reminder you might get. The best defense is vigilance and contacting your real creditor using contact details you already have, to ensure the invoice is correct.

I have also heard that the malware that will come onto your computer is likely to be ransomware. That means it will lock your computer until you pay for a password from the scammers. They probably will not have copied the full e-mail address of your real contact, just the name. Do look for the full address by hovering your cursor on the name, without actually opening it. Also, try phoning them or even sending an e-mail to their correct address: do not use the Reply facility.

For more, go to www.which.co.uk/scamcampaign or www.which.co.helpdesk