Malicious hackers are a source of cyber risk, but so are employees, ex-employees, contractors, suppliers and even the general public. Understanding where cyber risks arise and who can be responsible for them is essential if they are to be managed effectively.
Cyber risk damage is frequently caused by a failure of process, or a failure of people to follow agreed process. Of course there are occasions where no process within an organisation can guard against risk: a disaffected senior IT manager; an unknown bug in commonly used software; a determined hacker backed by the resources of a foreign government.
Cyber risk management needs to involve managers across the whole organisation. But much of the time risks can be identified and mitigated by tightening up internal business processes. Sometimes these processes will be the responsibility of the IT department, for example the implementation and maintenance of adequate firewalls around an organisation's computer network. But often the risk management processes will be (or at least should be) the responsibility of another function, for example the way the marketing department contracts with outside agencies, or the rules people operate under when using social media at work.
Generally cyber risk management processes need to deal with three types of people:
These are people who donít work for your organisation and might be:
- Hackers who enjoy the challenge of breaking into your computer systems.
- Hacktivists who want to damage your organisation because they disagree with what it does.
- Criminals who are trying to steal information from you in order to sell it, or to threaten you in attempt to extract protection money.
- Unscrupulous competitors (of foreign governments) conducting industrial espionage.
Insiders are your employees, your colleagues, your managers...
These people work for your organisation. Most insiders cause damage through carelessness, or simple naivety, due to a lack of education about cyber risks. Perhaps they post information of value to your competitors on Linkedin. Maybe they lose their laptop, giving strangers access to confidential documents. Or they are fooled into sharing their username and password with an outsider. The trusting nature of many people is the biggest cyber threat that exists.
Of course some employees are simply malicious and want to damage their employer. Perhaps they think they are about to be sacked so they steal data that might help them get a job with a competitor. Or they plant a "logic bomb" in your network that will delete files or send out messages, because they have been made redundant.
Inside-outers are your contractors, your suppliers, your ex-employees...
These people don't work for your organisation, but they have some connection with it. For example, they might be the employee of a supplier with access to your networks. One of the biggest cyber crime incidents was the 2013 data breach at US retailer Target, where credit card details of over 100 million people were stolen when one of Target's suppliers fell for a "phishing scam".
They might also be ex-employees who still have access to some or all of your systems. This might be information on personal devices, or access to your organisation's social media accounts, because the password has not yet been changed. It might also be access to data held in the cloud or on third party websites like Dropbox.
So, it is not hard to see that with potential threats coming from so diverse a range of sources, we can't leave cyber risk management up to the IT department. Everyone has to take responsibility for being careful and vigilant.