Cyber risk management should be a priority of companies!
Recent events have reminded us of the fact that cyber risks are an increasingly daunting challenge for Belgian entrepreneurs. In May 2017, one of the largest cyber attacks so far was launched, using the WannaCry/WannaCrypt ransomware. The impact of this attack was felt all over the world. Several Belgian companies also received a ransom demand and were given the choice to pay or lose all their data. Enterprises and institutions in more than 150 countries, including Belgium, fell victim to the attack. However, there are ways to defend computer systems against cyber risks.
“Zero risk does not exist in the field of cybersecurity”, says Kris Vansteenwegen, Headof Security LifeCycle Servicesat NRB. “It is therefore essential to have a risk management system in place to reduce problems like the ones we have seen recently to a minimum." Cyber risk management comprises a series of steps enabling enterprises not only to be aware of the current threats but also to appropriately react to them. Where do these threats come from? It’s quite simple: from obsolete software (Window XP for instance), from new technology, from a computer program that has not yet been updated,... "But even an update to fill a security gap may give rise to a new security problem that must be addressed afterwards", says Kris Vansteenwegen. The digital universe is not a static environment. It is important to clearly identify the risks to which we are exposed. This is done by means of a well-established procedure: “In order to have an idea of the risks, we must first perform a Risk Assessment and create a risk register, which will show the current status of the risk profile. On the basis of this register, the management will take decisions: what risks do we accept? What risks should we reduce?” These decisions will often be taken on the basis of the immediate cost and of the future cost caused by a possible security gap. For instance: do we have to change our storage system because it entails a risk? Or will the cost of the risk, if it occurs, still be lower than the costs of replacement? “Enterprises all too often make the mistake of restricting themselves to a Risk Assessment”, states Kris Vansteenwegen. “But it is only an initial step. Good risk management requires a “Risk Manager", who updates the register on a regular basis.
NRB also has the SOC, the Security Operations Center, which MONITORS, EVALUATES and DEFENDS the company's IT systems (websites, applications, databases, data centres and servers, networks, desktop computers and other terminals). When creating an SOC, three essential aspects must be taken into account: firstly, the configuration of security monitoring tools to receive raw data that are relevant for security, secondly, the use of these tools to detect suspect or malicious activity and thirdly, the implementation of a plan for information security management.
Not only the threats are evolving, but so are the hardware and the software used by the company. Due to trends like “Bring Your Own Device” or “Mobility”, cyber security has become an everyday concern." The events of the month of May are indicative of the strategic choices made by the impacted companies. “A hospital that does not replace the computer of its scanner although it runs on Windows XP, a software that has not been updated since 2014, has either made a strategic choice or is unaware of the risks. That is why risk management should be aligned with the strategic objectives of the enterprise as well as with its internal assets such as software, devices or the IT department.”
It is clear that cyber risk management is an ongoing task that must be integrated into the organisation of enterprises. The security gaps targeted by WannaCry/WannaCrypt have been known since April 2016, and enterprises that had made cyber security a priority were not impacted. “At NRB, we consider the cyber security of our clients to be a strategic element and we are constantly monitoring activities via the SOC.” You have been warned! Although no complete protection against the cyber risk is possible, it can nevertheless be foreseen, detected and corrected when necessary in order to ensure the continuity of the activities of the company.