Managing Cybersecurity Risk: Book 3

By Jonathan Reuvid

Cybersecurity is the practice of protecting systems, networks and programs from digital attacks. These attacks are usually aimed at accessing, changing or destroying sensitive information, extorting money from users or interrupting normal business processes.

This new edition will provide valuable information on the cyber environment and threats that businesses may encounter. Such is the scale and variety of cyber threats, it is essential to recognise issues such as gaps in the workforce and the skills required to combat them. The guide also addresses the social and financial impacts of cyber breaches and the development of cyber protection for the future.

Offering understanding and advice the book covers topics such as the following, all from key speakers and industry experts:

• Training

• Technology trends

• New theories

• Current approaches

• Tactical risk management

• Stories of human errors and their results

Managing Cybersecurity Risk is an essential read for all businesses, whether large or small.

With a Foreword by Don Randall, former head of Security and CISO, the Bank of England, contributors include Vijay Rathour, Grant Thornton and Digital Forensics Group, Nick Wilding, General Manager of Cyber Resilience at Axelos, IASME Consortium Ltd, CyberCare UK, DLA Piper, CYBERAWARE and more.

• Language: English
• Publisher: Legend Press
• Release date: Jul 12, 2019
• ISBN: 9781789550511

Book preview

resilience.

INTRODUCTION

As Don Randall asserts in his foreword, the fight against cyber crime is a never-ending battle against resourceful criminals targeting all data and communications security from national defence and counter-espionage through to corporate business and personal online activity. What is more, we are not winning. As the incidence of cyber incidents increases remorselessly the best we can do is to contain the level of successful breaches; to do that we need to be fully aware of the sophisticated software, ever-evolving and mutating, which attackers employ. We also need to keep ourselves informed of the fraudulent techniques that invaders use to exploit our ignorance and penetrate our defences.

This third edition of Managing Cybersecurity Risk attempts to survey the battlefield, alert readers to the threats which they need to address, comment on their cultural implications and advise on managing the financial and social impacts of cyber incidents. Throughout the book there is a strong emphasis on training and achieving resilience.

There is a combiation of new contributors to this book with authors who have written for the title before and are updating and restating their analysis and advice. Among the former are Julian Richards of the University of Buckingham, whose opening chapter is a chilling account of the mega threats on the world stage, and Tim Ward of ThinkCyber, Steve Durbin of Information Security Forum and Chris Pinder of IASME Consortium who are each focused on aspects of human behaviour in terms of training and work culture.

Previous contributors are led by Nick Wilding of AXELOS RESILIA, sponsors of the title, who writes on the key role of training as the driver of behaviour change. He is supported by Karla Reffold on the retention of cybersecurity staff within an organisation, while the DLA Piper team provide advice on balancing information security good practice with the data protection and employment requirements. One year after its UK adoption, Dan Hyde of Penningtons reports on the current status of GDPR and the DPA.

Christopher Greany stresses the importance of securing companies from insider threats while Richard Knowlton reflects on the balance between cybersecurity risk and reward for small businesses. Nick Ioannou of Boolean Logical provides tutorials for us all on how to recognize and avoid the latest tricks and techniques that cyber criminals deploy to trap the unwary. The concluding chapter of the book is an authoritative dissertation on the social and financial impacts of cyber breaches provided by Vijay Rathour, leader of Grant Thornton’s Digital Forensics Group.

I endorse fully Don Randall’s thanks to all authors and sponsors of this new edition of Managing Cybersecurity Risk for their contributions and add my appreciation to Don himself for his return to the title of which he was a founding father.

Jonathan Reuvid

Editor

PART ONE

THE SCALE OF CYBER THREATS –

TRAINING IS KEY

1

THE THREAT FROM BIG STATES

JULIAN RICHARDS, UNIVERSITY OF BUCKINGHAM

We might imagine that cyber threats from big states like Russia and China are primarily the concern of state intelligence agencies such as GCHQ and MI5. This, however, is the wrong way to look at the situation. Due to increasingly blurry lines between activists, criminals and states, everyone now needs to think about the threat from the big state actors, from governments to businesses, large and small.

In this chapter, I will begin by considering which state actors are the ones to worry about. We will consider their objectives in the cyber threat landscape; the complex array of actors involved; the effects their actions have on a range of organisations; and the key messages we should take away in conclusion.

STATES POSING CYBER THREAT

Taking a Western perspective on the situation, there is no doubt that Russia and China continue to pose a substantial and constantly evolving cyber threat to the interests of a number of states and their allies. Both of these states have a strong interest in developing their hostile cyber capabilities, for a range of strategic political and economic reasons. Both will increasingly seek to appear at the cutting-edge of cyber threat technology and capability, and will aim to be leading players in cyberspace. There is also mounting evidence that Russia in particular – or at least forces sympathetic to it – is engaged in comprehensive information warfare against the West and its citizens using industrialised cyber