Due to the changing nature of cyber risk, IT risk managers must upgrade risk management strategies to focus on new areas of concern. In the past, primary attention was given to protecting computer infrastructure from losses caused by lapses of physical security, internet servers, networks, and rogue insiders. Now, attention must be expanded to applications and software used by the organization.
Due to stepped up risk management controls in the areas of improved network security, cyber criminals have turned their attention to less protected vulnerabilities in applications and software. In addition, the purpose of the attacks have morphed from causing embarrassment and denial of service to profiting from the theft of confidential financial and client information.
Cyber Attacks focus on the following areas:
* disrupting infrastructure operations
* posting confidential enterprise information online
* theft of intellectual property
* identity theft
* theft of confidential information
* confiscating or compromising online bank accounts
* spreading viruses on other computers
* malicious insiders seeking revenge
* use of internet launched viruses, malware, trojans, phishing, botnets, other malicious code
A company’s risk analysis should include identification from among the following risks where primary attention should be given to those risks which present the largest loss potential by either their frequency or severity:
* identification of viruses on servers, workstations, and laptops.
* open ports on firewall
* which assets are currently being attacked
* which assets are most likely future targets
* Payment Card Industry (PCI) audit if credit cards are used
* HIPAA and HITECH audit for medical information if applicable
* various state confidentiality and data protection laws
Source: Resources, Winter 2010, Paul W. Burkett, The National Alliance For Insurance Education And Research