Chapter 8 - Cyber Security Threats Flashcards
Questions to ask about Cyber Risk:
- How are data and operating systems protected from unauthorised access and manipulation?
- How are breaches identified, analysed, remedied and reported?
What is cyber security?
- Practice of protecting systems, networks and programs from digital attacks
- Cyberattacks are aimed at: accessing, changing or destroying sensitive info, extorting money from users or interrupting normal business processes
Examples of sensitive info:
- Customers, suppliers and employee personal data
- Org’s own financial records
- Data stored within infrastructure and operating systems
- Medical data from employees, customers and other stakeholders
- Intellectual property which may be of value if it can be illegally accessed
- Operational data – locations of sensitive assets
Cybersecurity objectives:
- Availability
- Confidentiality
- Integrity of data
- Integrity of processing
- Establishing, maintaining and approving objectives
Cybersecurity objective - availability:
- Availability objectives = opening data up to those who have the right to access it
Cybersecurity objective - confidentiality:
- There are legal requirements to maintain confidentiality over data across many jurisdictions
- Confidentiality objectives = stopping data from being accessed by those who do not have the right to access it
Cybersecurity objective - Integrity of data:
- Objectives should ensure that data is kept secure and not lost or corrupted at all stages of life cycle
- Objectives to verify reliability of data used for decisions (source), its intelligibility (what it is saying) and accuracy (is it valid?)
Cybersecurity objective - Integrity of processing:
Objectives should ensure:
- processing does not abuse or lose data
- encourages efficient usage and
- ensures that data is only used for stated, legitimate purposes
Cybersecurity objective - establishing, maintaining and approving objectives:
- Org’s need to have formal process for establishing, maintaining and approving cyber security objectives
- Objectives would need board approval – dedicated cybersecurity expert or IT expertise
- Support from third parties creates trust issues, which creates risk
- Boards need to monitor success of objectives
Organisational characteristics to consider when setting objectives:
- Technologies
- Connection types and service providers
- Delivery channels
Considering technologies used as part of business model:
- Proportion of activity that is online
- Amount of digital interaction with customers and other stakeholders
- Type of data collected and way it is used + stored
Considering connection types and service providers:
- Connection types = physical or virtual, wired or wireless, networked or standalone, national or international
- Reliance on service providers creates cybersecurity risks – cloud-based computing and managing valuable data
What is cloud-based computing?
Solution for providing digital storage and processing that uses a separate org’s capacity and is only accessible online
Risks of cloud-based computing:
- Loss of data if provider is affected by an incident itself
- Reliance on a functioning network to gain access to own data
- Concerns over whether cloud computing provider is susceptible to cybersecurity breach
- Legal action from org’s stakeholders if data is compromised while stored on a cloud computing provider
Considering delivery channels for data:
- Website:
* Collect data + interact with stakeholders
* Creates risk to sensitive data - Intranet:
* Internal website that can be accessed remotely
* Creates risk to digital data - Email:
* Spam is main risk – includes interception, eavesdropping and spoofing (impersonation to gain advantage)
* Compromises integrity of email and requires controls to be in place - Telephone:
* Subject to eavesdropping and interception
* Compromise confidentiality of discussions - Instant messaging:
* Spoofing as SPIM (IM equivalent of spam)
* Could lead to service charges for users + highlights limited controls - Social media:
* Can be accessed illegally
* Creates risk that messages are posted that org has not approved