ACCT5919 -

Business Risk
Management

Lecture 9 – Cyber Risk and Data Privacy

AGENDA
COURSE ADMINISTRATION
Measurement calculations – solutions in Moodle – any questions?
Quizzes – any questions?
Group Video Presentation – any questions?
My experience survey – please complete.

LECTURE – CYBER RISK AND DATA PRIVACY

Definition of cyber risk and data privacy
Common players and vectors
Common Techniques and Weaknesses
The Impact
Regulation
Risk Levels
Management Frameworks
Controls
Class Discussion – FRAUD
Quiz
What is Cyber Risk
Cyber Risk refers to the potential for adverse consequences that arise from the use of or
failures in management of digital/information technology (IT) systems/assets. IT systems
/Digital assets encompass applications/software, data, hardware and communication
networks. The potential for adverse consequences exists in relation to all internal activities
conducted as part of the IT systems management life-cycle as well as from external parties.
They can arise from malicious/deliberate acts as well as inadvertent/negligent failures.

The level of exposure and the nature in which it manifests itself has changed due to
increased:
• Levels of use and complexity of technology as a core channel for an organisation to
operate its value chain especially with customers
• Levels of direct connection of IT systems with external parties and reliance in part on
external parties for managing security
• Use of outsource partners to provide IT systems management life-cycle services to the
organisation eg system development, provision of hardware, system administration and
user support services
• External threats from organised criminal syndicates and sovereign state actors.
The direct impacts can include disruption to business operations and consequent increased
costs and loss of revenue, fraud losses, and potential legal liabilities and reputational
damage for breaches of data privacy requirements.
What is Data Privacy
Data privacy, sometimes referred to as information privacy, encompasses the protection
and responsible handling of any data, whether in digital or non-digital form. It involves
maintaining the confidentiality, integrity, and availability of data throughout its lifecycle. Data
privacy extends beyond personal information and includes sensitive corporate data,
intellectual property, financial records, and any other data that requires protection.

Data privacy is part of the broader concept of data protection which involves ensuring data
is:
• held securely during its life-cycle so that it is available as and when required to only
those who are authorised to access the data and for only authorised purposes,
• maintained and processed accurately,
• destroyed at the end of its life-cycle,
• maintained so that the organisation meets any specific regulatory requirements (eg
domicile of storage of information).
Sources of security threats extend beyond external hacker activities and include all the
internal activities that comprise the information security management life-cycle.

External cyber security incidents are increasingly prevalent due to increased use by
organisations of technology for core activities, social and geo-political tensions, as well as
increased regulatory requirements being imposed.
Common Players and Threats
External (or internal) malicious actors can take advantage of physical and logical
vulnerabilities (vectors):
• Physical hardware vulnerabilities
• Internal and external negligent / uneducated users
• Poor internal security design or control failures – negligent or inadvertent or malicious

THREAT THREAT
ACTORS VECTORS
SUPPLY CHAIN
FOREIGN INTELLIGENCE
VULNERABILITY
& CORPORATE
ESPIONAGE

NEGLIGENT
USERS
HACKTIVISTS

WIRELESS
ACCESS POINTS

CRIMINAL
ELEMENTS
REMOVABLE MEDIA

INSIDER
TERRORIST ACTS THREATS
Common Techniques and Weaknesses
Criminals exploiting negligent or uneducated users

1. Phishing - Phishing is a type of social engineering attack where cybercriminals use

deceptive emails, messages, or websites to trick individuals into revealing sensitive
information (such as passwords, bank account or credit card numbers, or personal
details) or to click a link which allows malware to be downloaded to the user’s device.

The messages can appear to be sent by an organisation (being used as a vector) even
though it is in practice totally unrelated to the organisation. External expectations may
include the organisation needing to provide clarifying information and education of users.

2. Credential Stuffing: This technique involves cybercriminals using automated tools to try
stolen login credentials or easily guessable passwords (username and password
combinations) across multiple online platforms, exploiting users who reuse passwords on
multiple sites or systems/applications. Stolen personal information from other
organisations may be used to access the user’s account with your organisation with a
view to conduct fraudulent and unauthorised transactions.

If the user is an internal staff member the information may be used to try to access the
organisation’s systems beyond an external user account functionality or other internal
systems.
Common Techniques and
Weaknesses (Cont.)
Criminals exploiting negligent or uneducated users

3. Hacking – Hacking personal devices and public unsecure networks to obtain personal
information or system log-in/registration details including passwords – hacking less
secure devices and networks to achieve similar outcomes to phishing.

Increased use of remote working and working from home environments has increased
the level of vulnerability to this type of attack as the level of protection from using
organisation devices with firewalls/monitoring on an internal network is not present.

Malware could be used to corrupt, encrypt or destroy data or software/applications or

copy/steal data. The perpetrator may demand a ransom (ransomware) to restore the
organisation’s ability to use the data.

4. Physical access – to unprotected personal devices outside the organisation or

watching/listening to staff working in public spaces.

Threat management heavily relies on internal and external users behaving in accordance
with required procedures – education and monitoring required to continually reinforce and
enforce requirements. More difficult to achieve with external users.
Common Techniques and
Weaknesses (Cont.)
Internal Staff – malicious and inadvertent acts/errors

1. Access privileges - Internal staff with highly privileged accounts providing access to
databases and systems (IT administrators) provide a high exposure to manipulation,
corruption, copying and leaking of data or systems. The individual may act maliciously or
inadvertent make errors in using their functionality. They may act for personal gain, be
coerced by external criminals or wish to disrupt the organisation.

Inadvertent errors may occur in setting access privileges (eg misconfigured systems,
insecure file sharing) to inappropriate internal staff which allows leaking/copying of data that
is inappropriate.

2. Passwords - Staff may be unaware or uneducated about accessing restricted / unsafe

external sites which allow third-party hacking or using easily guessable passwords increasing
the risk of being hacked.

3. Physical access – inappropriate granting of physical access privileges or easily to breach

physical controls to hardware assets may allow assets/data to be stolen or destroyed.

4. Emailing sensitive data to home email – to support working from home in an unsecure
environment
Common Techniques and
Weaknesses (Cont.)
Poor Asset Security Practices or Settings
1. Access privileges – inappropriately wide and open granting of access - internal or Cloud
2. Password rules – strength, reuse, and frequency of change
3. Unencrypted file sharing
4. Emailing files to external address
5. Use of insecure networks (WiFi)
6. Working in public places
7. Use of personal device
8. Use of removable media
9. Use of webcam on personal devices/insecure meeting apps
10. Poor security design for user access to systems and apps eg no 2FA
11. No monitoring for brute force/Distributed Denial of Service attacks
The Impact
According to the Australian Federal Government Department of Home Affairs and Stay Smart Online
Australia, a new cyber crime is reported every 10 minutes, and the annual cost is increasing.

All sizes of
organisations
under threat.

Malicious
insiders can do
most damage –
recover period.

Source: KPMG 2022

The Impact (Cont.)
Cybercrime Magazine in 2020 estimates the cost of cyber and data privacy breaches
will be $10.5 trillion USD by 2025.

The damage cost estimation is based on historical cybercrime figures, including recent
year-over-year growth, a dramatic increase in hostile nation-state-sponsored and
organised crime gang hacking activities.

The cost/impact of cyber and data privacy breaches includes:

• damage and destruction of data,
• stolen money,
• lost productivity,
• theft of intellectual property,
• theft of personal and financial data,
• embezzlement and fraud,
• post-attack disruption to the normal course of business,
• forensic investigation, restoration and deletion of hacked data and systems, and
• reputational harm.
Increasing Regulation
Regulators around the world are strengthening rules concerning the protection of
personal data and the management of cyber risks. Laws and regulations comprise
directives and/or requirements that attempt to safeguard information technology with
the purpose of forcing companies and organisations to protect their systems and
information from cyber and data privacy threats and attacks using numerous
measures.

Examples
Regulation in the European Union includes:
• The General Data Protection Regulation (GDPR), which updates and replaces the
existing regulatory framework around the protection and use of personal data; and
• The Network Information Security (NIS) directive, which specifies obligations
regarding cyber security in certain industry sectors, is largely associated with
critical national infrastructure and major information processing activities.
Increasing Regulation (Cont.)
Regulation in the USA includes:
• Gramm-Leach-Bliley Act (1999) makes it mandatory for financial institutions, meaning
companies that provide consumers products or services like loans, financial or
investment advice, or insurance, to explain their information-sharing practices to their
customers and to safeguard their sensitive data.
• Homeland Security Act (2002) attempts to recognise the importance of information
security to the economic and national security interests of the United States

Regulation in Australia includes:

• The Privacy Act (1998) outlines the requirements to protect the handling of personal
information about individuals. This includes the collection, use, storage, and
disclosure of personal information in the federal public sector and in the private
sector. Mandatory data breach reporting requirements are also required.
• Regulators are becoming more active in enforcement and inflicting fines where
breaches have occurred due to significant recent breaches.
Cyber and Data Privacy Risk Levels
Data privacy in relation to digital data/information is one area of the broader cyber risk
management framework.

Recent high profile data privacy breaches and more active regulators are driving a focus on
data security within the cyber risk universe. The cyber risk universe would also include fraud
and financial crime related exposures.

For the same reasons we manage all risks actively it is important to manage cyber risk in this
context of heightened exposure and consequences.

Many frameworks are available most of which focus on security which covers most
operational threat treatments. Cyber risk applies at three levels:

Strategic:
• Appropriate use of digital technology to achieve strategic objectives
• Capability to manage cyber risks for intended use of digital technology
• Use of third-party digital systems – develop or buy
Cyber and Data Privacy Risk Levels
(Cont.)
Tactical (implementation of strategic digital initiatives):
• Project management and governance
• Technical development of digital assets – secure and reliable
• Software functional design and development/testing – achieve purpose of application securely
Operational:
• Governance, policies and information risk management framework
• Planning and Resourcing/Responsibilities
• Risk/threat assessment and treatments/controls– criticality of assets (use and sensitivity)
• Hardware/networks
• Software – own and third party
• Data
• Security threat assessment and controls – physical and logical access - data at rest / being processed
• Incident management – security breach or operational related
• Continuity and recovery of digital assets
• Managing outsource providers
• Control testing/audits
Frameworks
Managing cyber and data privacy requires a comprehensive and well-structured
approach. Several frameworks have been developed to guide organisations in effectively
addressing and mitigating cyber and privacy risks, mostly focused on security aspects.

When implementing these frameworks, organisations need to tailor their approach to their
specific business requirements, industry, and regulatory environment. Compliance with
relevant data protection laws and regulations, such as GDPR and the Privacy Act, needs
to be an integral part of any privacy management framework.

1. GDPR Compliance Framework (General Data Protection Regulation): The GDPR

is a comprehensive data protection regulation in the European Union, and its
principles are globally influential. While it focuses on data protection and privacy, it
also encompasses cyber-related concerns. The GDPR requires organisations to
implement various measures to protect personal data, such as privacy impact
assessments, data protection officers, and data breach notification processes.
Compliance with GDPR involves a thorough understanding of the regulation's
requirements and adapting internal processes accordingly.
Frameworks (Cont.)
3. ISO/IEC 27001 (International Organisation for Standardisation / International
Electrotechnical Commission): ISO/IEC 27001 is an internationally recognised
standard for information security management systems (ISMS). While it primarily
focuses on information security, it includes principles and controls related to data
privacy. The standard emphasizes risk management, continuous improvement, and a
systematic approach to protecting sensitive information, including personal data.

4. CIS Controls (Center for Internet Security): The CIS Controls provide a prioritised
set of actions designed to protect organisations from cyber threats. While the focus is
on cybersecurity, the controls include measures related to data privacy, such as
securing data storage, data retention policies, and access controls. The controls are
organised into three implementation groups based on an organisation's size,
resources, and cybersecurity maturity.

5. NIST Cybersecurity Framework (National Institute of Standards and

Technology): The NIST Cybersecurity Framework is a widely adopted guideline for
managing cybersecurity risks. Though it primarily focuses on cybersecurity, it includes
important components related to data privacy. The framework is organised into five
core functions: Identify, Protect, Detect, Respond, and Recover. It provides a
systematic approach for understanding an organisation's cybersecurity and privacy
risk profile and developing strategies to manage those risks effectively.
NIST Framework
Cyber and Data Privacy Risk
Management
Cyber and data privacy risk management is the process of identifying, analysing, and
evaluating potential threats and vulnerabilities to an organisation's information systems,
data, and technology infrastructure. The primary goal is to understand the level of risk the
organisation faces from cyber and data privacy threats and to implement measures to
manage and mitigate those risks effectively to meet risk appetite. Similar to the risk
management process, the key steps are:

1. Identify Assets and Data: Identifying all the assets within the organisation that are
critical to its operations, including hardware, software, networks, and data. Understand
what data is collected, processed, stored, and transmitted, as well as its sensitivity and
value.

2. Threat Identification: Identify potential threats that could exploit vulnerabilities in the
organisation's assets. These threats may include external threats like hackers and
malware, as well as internal threats like insider attacks or accidental data leaks.
Cyber and Data Privacy Risk
Management (Cont.)
3. Vulnerability Assessment: Evaluate the vulnerabilities present in the organisation's
assets. Vulnerabilities are weaknesses or gaps in security that could be exploited by
cyber threats. This may involve conducting security scans, penetration testing, and
code reviews.

4. Likelihood Assessment: Assess the likelihood of each identified threat exploiting

the vulnerabilities in the organisation's assets. Consider factors such as the threat
actor's capabilities, historical attack data, and the effectiveness of existing security
controls.

5. Impact/Consequence Assessment: Assess the potential impact that a successful

cyber attack could have on the organisation. This may include financial losses, data
breaches, reputational damage, legal liabilities, and operational disruptions.

6. Determine Risk Rating: Calculate the level of risk associated with each identified
threat-vulnerability pair. The focus should be on addressing the high-risk areas first to
ensure the most critical vulnerabilities are addressed promptly.
Cyber and Data Privacy Risk
Management (Cont.)
7. Mitigation and Controls: Develop a risk management strategy that outlines specific
measures and controls to reduce the identified risks. This could involve implementing
technical controls, enhancing security policies and procedures, and conducting
employee training on cybersecurity best practices.

8. Continuous Monitoring: Risks and threats are constantly evolving, so continuous

monitoring is crucial. Regularly reassess the organisation's risk posture, update risk
assessments, and adapt mitigation strategies as needed.

9. Reporting and Communication: Present the findings of the risk assessment to

relevant stakeholders, such as senior management and the board of directors. Clearly
communicate the identified risks, potential impacts, and recommended actions for risk
mitigation.

Cyber and Data Privacy Risk Management is an ongoing process, and an organisation
should regularly review and update its assessments to address new threats, vulnerabilities,
and changes in the business environment. By understanding and managing the risks and
threats proactively, organisations can better protect their assets, data, and reputation.
Controls
For the tactical and operational level risk management controls are often broken into two
categories:

General Controls – relate to the overall digital environment – not germane to a single
application
• Administration of IT assets
• Logical access and monitoring
• System life-cycle – development, testing and release
• Physical access and monitoring
• Data protection and recovery

Application Controls – controls that address risks within an application/system

• Specific access rights and functions v roles
• Data entry, processing and reporting – data integrity (completeness and accuracy) –
automated and manual controls
• Data storage and retention
• Audit trail
ISO 27002 Controls
COSO Controls
General Controls
1. Leadership and Commitment

2. Policy and Procedures

3. Physical Security

4. Logical security

5. Education and Training

6. Vendor Risk Management

7. Business Resilience

8. Compliance and Audit

9. Continuous Improvement COSO Internal Control Framework