Cyber security and project risk

Save for later

Favourite

Posted by APM on 10th Nov 2011

The APM Risk SIG held their latest event in Guildford on the 8th of November 2011 which was kindly sponsored by BAE Detica. All presentations can be downloaded below.

A number of speakers made presentations and a workshop / questionnaire was completed by all delegates, the results of which are listed below. 


 The biggest cybercrime threats perceived by attendees are IP theft, denial of service, customer data theft and insider threats
 Nearly all attendees admitted that cybercrime risks would not make the "top 5" of their project risks. This may be due to several factors including the poor identification of cybercrime risks, the poor flow of information on cybercrime risks between project stakeholders in large organisations, and the type of project involved (i.e. might be a completely "offline" project).
 Cyber risks tend to be owned by the central business rather than the project team. Within the central business, they are owned at a high level, but managed at a lower level
 Most attendees felt that cybercrime risks shouldn't be assessed or managed differently to more traditional types of project risk. However, it was acknowledged that cybercrime risks are likely to evolve more quickly than most other types of project risk and become "black swan" (low probability high impact) risks.
 Opportunities identified with cybercrime for projects include the ability to develop new skills and knowledge to combat cybercrime in projects, improved internal systems and processes to combat cybercrime, increased education and awareness over IT security and social engineering, and to promote "UK PLC" though enhanced international reputation as a "safe pair of hands" to deal with IT projects.

Questionnaire Conclusions

These are indicative and emerging conclusions from the event questionnaire:

1) How significant a challenge to your project/organisation are the following issues:
        a) Abuse of IT systems by internal parties - most respondents felt that it was not very significant
        b) Targeted cyber attacks by external parties - most respondents felt that it was fairly significant
        c) Viruses and similar malware like worms and trojans - most respondents felt it was very significant
        d) Denial of service attacks - most respondents felt it was not very significant
        e) Accidental data loss - most respondents felt it was very significant
        Overall, attendees ranked viruses, malware and accidental data loss as their biggest challenges

2) How would you describe your project or organisation's current risk level with regard to targeted cyber attacks?
        Attendees mostly stated "medium" or "fairly high"

3) Which, if any, of the following do you think are most likely to mount targeted cyber attacks against your company's IT systems and cause harm to your project or organisation?
        Attendees identified the following top five areas (in order of number of responses): state sponsored spies, competitors, hobbyist hackers, employees    and terrorists

4) Which two or three of the following would you be most concerned about in the event of a successful targeted cyber attack:
        Attendees identified the top three areas (in order of number of responses): Loss of customer data, theft of IP and theft of information which would     compromise your competitive position in a major bid

5) And if any of those two or three were to occur, at what level within the project or organisation would you expect the resulting business impact to be visible?
        Attendees identified the Main Board of the organisation as the most likely place of impact, followed by the organisational business unit the project fell       under

6) Does your project or organisation have in place specific mechanisms to value its information assets and understand the business impact of loss or damage?
        The vast majority of attendees said that their project or organisation did

7) How confident are you that your project or organisation is currently well equipped to prevent targeted cyber attacks by outsiders?
        The vast majority of attendees said that they were fairly confident

8) Has your project board or organisation boards requested risks and information specifically in relation to targeted cyber attacks on your IT network in the past twelve months?
        Exactly half of the responses said yes, the other half said no

9) To what extent do you agree or disagree with each of the following statements?
        A) The board of our project or organisation do not yet fully appreciate the risks posed by targeted cyber attacks to projects or organisations such as  ours.
        The majority tended to disagree
        B) There is a strong business case for improving our project or organisations defences against targeted cyber attacks
        The majority tended to agree
        C) Our cyber adversaries are innovating at a faster pace than our project or business can keep up with
        The majority neither agreed or disagreed
        D) A successful cyber attack on commercially sensitive information will impact your project or organisations competitiveness
        The majority tended to agree 

10) How great an impact do you believe sustained and successful cyber attacks could have on your project or organisation?
        The majority said that there would be a large impact and that critical information would be lost 

11) What do you believe is the best form of defence against targeted cyber attacks?
        The vast majority stated improved awareness and risk management. The other two areas that were highlighted by respondents were improved internal controls and bespoke specialist solutions

12) To what extent do you agree or disagree with each of the following statements?
        A) The threats to projects from targeted cyber attacks is widespread
        There was an even split between respondents who tended to agree and who tended to disagree
        B) The threat to projects from targeted cyber attacks will increase in the future
        The majority tended to agree
        C) Project risk management has an important role to play in preventing targeted attacks on projects based in this country
        The majority tended to agree
        D) A general loss of confidence in the security of the internet would have a significant negative impact on our project/organisation
        The majority strongly agreed

13) Which one or two of the following would be the most valuable ways in which the UK Government could help defend projects or organisations against cyber security threats?

        The majority identified development of advanced technology as the most valuable, followed by greater investment in law enforcement and sharing of classified information to help assess and understand the threat.

Comments on this site are moderated. Please allow up to 24 hours for your comment to be published on this site. Thank you for adding your comment.
{{comments.length}}CommentComments
{{item.AuthorName}}

{{item.AuthorName}} {{item.AuthorName}} says on {{item.DateFormattedString}}:

Share this page

Recommended blogs

Save for later

Favourite

Isolated to connected

4 October 2016

Save for later

Favourite

Join APM

Sign up to the APM Newsletter.