Click here for a printable version of this article.

November 2017 - Cybersecurity Risks

Rising concern over cybersecurity is being driven by high-profile data breaches and the growing realization that potential revenue losses from cyber risks can rival those of business interruptions and natural disasters. The scale of cyber incidents and resulting costs of such events continue to set new records.

Cyber risk is relatively new territory, and is evolving rapidly due to changes in both offensive and defensive technologies. Security measures are designed to protect networks, computers, software, and data from attack, damage, or unauthorized access. Human elements of cybersecurity include disaster recovery/business continuity planning, operational security, and end-user education.

The most common types of cyber attacks pose risk to data security and cause business interruption. These include:

Cyber attacks can involve more than just data security, and can be targeted at interfering with the computerized systems that control physical processes. This approach opens the possibility of cyber attacks to cause physical damage, destruction of property, fires or explosions, deaths, injuries, loss of services, or other harms.

There is a particular concern about control systems that are connected to networks and could be accessed by unauthorized third parties. This includes a wide range of sensors, actuators, valves, switches, mechanical devices, and electronic controls, especially in industrial control systems. Many electronic systems now contain elements of connectivity for diagnostic read-outs, upgrading and programming uploads, data transmission, and signal processing. These are all targets for potential attacks.

The proliferation of devices that are connected to the Internet is often referred to as the “Internet of Things” (IoT). Estimates and forecasts of the number of Internet-connected devices vary, but the number certainly reaches into the tens of billions and will continue to climb. Cybersecurity issues have been raised about industrial process control systems, building heating and ventilation systems, webcams, drones, and numerous other systems. Following are examples of some cyber attacks being used to trigger physical damage:

Many cyber attacks occur because companies and organizations have been slow in implementing the critical security measures needed to protect themselves. In response, new government regulations are emerging that are forcing organizations to get up to speed. The regulations often feature penalties for those that don't comply.

For example, the nation's first state-mandated cybersecurity regulations regarding banking and financial services companies went into effect in New York state on March 1 of this year. The 23 NYCRR 500 regulation from New York State's Department of Financial Services (“Cybersecurity Requirements for Financial Services Companies”) will be enforced in phases over a period of two years.

The regulation requires companies to implement controls to ensure a strong cybersecurity program, including requirements for a program that is adequately funded and staffed, overseen by qualified management, and periodically reported on to the board or the most senior governing body of the organization. It is not one size fits all, and allows companies to develop a cyber security program based on their individual risk assessments (with most of the requirements tied to those risk assessments). Although many components of the new regulation are already considered best practice, many companies have not yet implemented these protective measures. At Risk Logic we can help identify Cyber Risk. Please contact our main office if you have any questions.