Part 1 of this blog looked at what cyber risks are and what we need to understand in our approach to damage limitation.
The business benefits offered by new technology introduce a range of new risks and opportunities as well as causing many existing risks to be re-evaluated. Keeping track of the rapid change in technology and reacting to opportunities will be a challenge for the States of Jersey but one that we can build upon if we are active and risk aware.
Smartphones have increased our connectivity to levels we couldn’t have imagined just a few short years ago. They have become an accepted part of our everyday life and the lines between business and personal use have at times become blurred, with implications for our security. Hackers are increasingly viewing smart phones as easy targets with new exploitation techniques arising on a weekly basis such as Pretexting, SMiShing, Identity theft and Phishing.
With larger number of users accessing eGovernment applications though smart devices, user awareness and training should form a key component of any roll out programme.
Cloud services should not be considered as a solution for cyber risk. An environment migrated to the cloud will, if the controls remain in place, continue to be effectively controlled. A poorly controlled environment will be vulnerable to risk and threat regardless of the Information System infrastructure choice.
“It will never happen to us”
No-one is immune from cyber threats.
The European Commission estimates that more than one million people worldwide are the victims of cybercrime every day. All types and sizes of organisation are potentially affected, not just financial services, defence organisations and high profile names.
Small businesses and charities are also not immune to cyber risks. There is growing evidence that criminals are targeting less protected organisations.
Protecting ourselves against Cyber Risk
Governance and assurance
- have an effective enterprise risk management process in place
- be clear who is responsible for managing risks
- consider our risk appetite in relation to cyber risks; communicate with all parts of the organisation and make sure resources are used effectively
- be fully aware of the regulatory and legal exposure, such as EU-GDPR, and the implications
- make sure our cyber risk strategy supports our wider strategic priorities
- invest in cyber risk mitigation and training
- make sure our internal audit programme gives us enough assurance in cyber risk management
Understanding the risk
- understand the value of the information we hold (intellectual property, financial, health, strategic plans and other business critical information, customer / personal data)
- understand the potential impact if information is stolen or corrupted (reputational damage, loss of competitive advantage and direct liabilities to third parties affected, regulatory censure)
- understand our customers’ expectations of our cyber security
- review our critical business functions that are outsourced to third parties and cloud based services
- make sure our systems engineered to the best levels of security
Actions we are taking
The Digital Leadership Programmes launched in 2016 will equip our leaders with cyber security skills.
Cyber risk should not be considered the domain of the ‘back-room technician’ it should be dealt with as any other risk to the States.
By applying industry best practices such as the International Organisation for Standardisation (ISO) ISO27001, which is the standard for information security management, and our own security standards, we aim to eliminate the majority of cyber threats and safely seize the large opportunities that eGovernment can bring.