The Motivations Behind Cyber Attacks and How To Control That Risk

As we mentioned last month, we have launched a new paper on cyber risk, free to download it was written by Peter Smith in conjunction with leading supply chain risk management experts, riskmethods, whose platform helps users manage risks and provides real-time risk alerts to enable organisations to handle risk better.

We have produced five short briefing papers in this series, covering geo-political risk, man-made risks (strikes, etc), reputational risk, supplier financial risk and natural disasters. They are all available here.

This is the latest in the series and is all about Cyber Attack - What It Is and Why You Should Care. 

Here is an extract from it to whet your appetite.

 

What Drives This Risk?

There are various motivations behind cyber attack. Firstly, the “malicious amateur”; the archetype being the 15-year-old “kid in the bedroom”, hacking into systems just for fun or to show off to friends or an online community. Such perpetrators seemed to be a high proportion of the first wave of cyber attacks, but now criminal attackers who are in it for the money are more prevalent. Criminal attackers look to make a return by extortion, blackmail or selling data such as credit card information they extract from legitimate sites.

Competitive attacks are rare—as far as we know—but there have been cases of firms looking to gain information from their rivals or to disadvantage them in some way by cyber activity.  And finally, a relatively new phenomenon, the state-sponsored hackers: representatives of countries who are looking to disrupt other “enemy” countries (or their organizations and businesses) by cyber attacks, perhaps even linked to fake news and other psychological warfare techniques.

Many organizations have realized that they must take serious actions and precautions to guard against this type of risk in terms of their own systems and activities. But there are risks among suppliers and in the supply chain too. That could simply be the disruption caused in a key supplier’s business if they were hit by an attack, which might have a knock-on effect on the buyers of the firm’s products. A supplier might have to halt deliveries, for instance, if its own systems are corrupted.

However, it’s important to keep in mind that there are also cyber risks that aren’t actually caused by attacks or third parties. It may be negligence or ignorance to blame. For example, a more mundane example might see a supplier handling data on behalf of a client (the buying organization) making a mistake that leads to a cyber-related issue that could have legal ramifications for both the supplier and the buyer. A good example of this is GDPR (General Data Protection Regulation), where the buying organization’s customer data is handled by a supplier, and there is a risk that the supplier might breach the regulations, perhaps because of a technology failure.

More recently, there have been cases where a risk event has emerged via a supplier that provides services or information that is embedded in the client organization’s website or other technology in some way. That may be the case with the September 2018 British Airways hack, which will have a huge cost to that firm. It is thought that around 400,000 card payments made by customers via the BA website were compromised over two weeks, with the hackers gaining access to full customer details – even the three-digit CVV codes from the cards. Such risks fall firmly into supply chain risk territory.

(Please download the paper here to read on).

Discuss this:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.