This article briefly explores what the Governance, Risk and Compliance (GRC) community could be doing to promote a clearer understanding of cybercrime and the effects it is having on our way of life. Cybercrime is the threat which increasingly dares not speak its name and organisations which become its victims often find it difficult to expose their shortcomings, brushing it under the corporate carpet in the misguided hope that it will go away. This response only emboldens the perpetrators and so the wretched cycle continues. Whilst crime has been with us since organised societies first developed, cybercrime is a relatively new and generally less well understood problem. And it’s growing fast. Perhaps it is time for the GRC community to put cybercrime and the wider issues of cyber security firmly on its agenda. That is to say somewhere between planning for swine flu and the next Great Flood! We could do much more to raise awareness of this most insidious and pernicious of threats to our way of life not because it’s about to happen, or might happen, but because it is happening right now. The Perfect StormA positive outcome of Risk Management, Business Continuity Planning and Compliance Programmes across the GRC agenda is that they do a fine job of helping us to understand and deal with a range of threats. But we are faced with conditions akin to a perfect storm: global warming and the prospect of widespread flooding, pandemic flu and, increasingly, cybercrime. In response we gravitate towards the threats that we most easily relate to and more often than not, they are rooted in the physical world. But cybercrime, which is raging unseen and untamed in the virtual world, is completely out of control and barely understood. And yet this is not some aberration of nature: it is not even force majeure. No; this threat is of our own making in the sense that it is people or, more accurately, criminals and terrorists, acting in ways unimaginable just a few years ago. According to experts at Kroll “Organised cyber-criminals are generally well-ahead of governments and businesses. They are scornful of judicial and geographic boundaries. They operate in one country, bank in another, live in yet another and travel at will between all of them on any number of “legitimate” passports with the proceeds of their gain tied up in notional trusts in which it is virtually impossible to identify beneficial ownership”. Oscar O’Connor of SELEX Communications suggests that “in an environment without identifiable perimeters, where the miscreant is generally better equipped, better funded and better motivated than the gate-keeper, the notion that any individual or organisation could be immune from attack is risible.” It is no longer safe to assume that even an individual would be of no interest to a cybercriminal. Not only do personal identities have a market value, but so does processing time on something as “harmless” as a personal computer. Some estimates suggest that one in four personal computers, worldwide, are infected with software that allows them to be used without the consent, or knowledge, of the owner. Think about that the next time you are catching up with events on your social networking site! A Problem of CultureThe greatest risks to information resources are not solely exploited via technical vulnerabilities for which there are many available solutions; but increasingly via the naïve and un-informed behaviour of people. Our best defence therefore is not technological (we already have an armoury of tools and techniques at our disposal) it is behavioural. Of all data loss reported by HM’s Government in the UK since the incident at HMRC, for example, only 5% is believed by some experts to be due to technology issues while 95% is due to cultural factors or the behaviours of people. What we must do therefore is change the way we behave in order to protect our way of life and this we achieve through programmes of education, training and awareness. Does this ring any bells? Section 6, perhaps, of BS 25999? So, nothing new then! What is changing however, albeit too slowly and perhaps too late, is an acknowledgment that something needs to be done. Cybercrime was even discussed at the World Economic Forum held in Davos this year! In calling for a new system to tackle well-organised gangs of cybercriminals, experts warned in January that “the threat of cybercrime is rising sharply. Online theft costs $1 trillion a year and the number of attacks is rising sharply. They conclude that “too many people do not know how to protect themselves”. “The internet was vulnerable”, they said, “but as it was now part of society's central nervous system, attacks could threaten whole economies. The past year had seen "more vulnerabilities, more cybercrime, more malicious software than ever before, more than had been seen in the past five years combined.” Is this hype? You decide: some reports in the UK have even suggested that as many as 162 million records of personal data were compromised in 2007: up 230% on the previous year! This is probably just the tip of the iceberg. The review which led to the publication of the UK’s Civil Contingencies Act 2004, for example, followed a series of national crises such as the fuel shortages and floods in 2000 and the foot and mouth outbreak of 2001. The report concluded that, in the 21st Century, the frameworks in place for civil protection were no longer adequate. Is it now time to apply the same adequacy tests to those frameworks upon which we all depend to ensure the confidentiality, integrity and availability of sensitive and personal information on which we all depend? The publication in June 2009 of the UK’s first Cyber Security Strategy is a step in the right direction and one the GRC community should not be shy in following. The Scale of the ChallengeA common theme arising from IA 09 last week (the main cross-governmental conference specialising in Information Assurance), was that the focus on pure technology to mitigate and solve the problem is both flawed and expensive. The key is culture change – we’ve all heard that before – but in this case changing the behaviours of people really does matter. The first step in so doing is to raise awareness and an understanding of the threat and the scale of the problem. The ability of the cyber-criminal to succeed is based on a number of basic conditions. They see a gap in the market, they have an undisputed ability to organise, they lack those morals which would restrain them from criminal activity, and they would make excellent businessmen in a legitimate environment. In short the “bad guys” according to Oscar O’Connor of SELEX Communications “are always one step ahead”. Unless there is a change of attitudes and understanding of the damage being done to the very fabric of society and unless governments and business decide to make radical changes in their thinking and approach, the battle will be lost. So is there an opportunity here for the GRC community? Yes, most definitely there is! Ideas for the GRC CommunityAn important step in risk and continuity planning is to understand the causes and consequences of disruption and we have many well-proven and effective processes for doing this: business impact analysis and risk assessment, for example. Techniques which help us to focus planning effort on understanding the threat landscape as well as suggesting many well-documented mitigation measures. If these same techniques are applied to corporate and personal information, as they are to understanding or protecting other important asset classes such as people and property, then there are encouraging grounds for optimism. We can therefore, and arguably should, use techniques already familiar to us to help understand, mitigate and educate people – particularly decision-makers – about the growing nature of the cybercrime problem and what can be done to solve it. There are many positive steps involved in maintaining an integrated enterprise risk management programme and only a modest shove in the right direction is needed to include this hugely important and often miss-understood asset class: information. As with people, property and business processes, the essence of what underpins organisational risk management, continuity, or resilience if you prefer and compliance, is understanding the importance and value of information whether it is personal or corporate information and making sure it is well protected. Since information underpins all decision-making, whether it is for managing normal or disrupted operations, the GRC community needs to raise the spectre of cybercrime and the loss or theft of information as the current critical issue. And right now there is a great window of opportunity for risk and continuity practitioners to come to the fore. The UK Government’s Central Sponsor for Information Assurance, in conjunction with CESG has recently published the Information Assurance Maturity Model (IAMM). The adoption of this model has been mandated across central government and risk and business continuity are the two principle disciplines it identifies as being crucial to effective information assurance. Understanding the nature of the threat from organised crime cannot be understated. One of the most immediate and practical ways of bringing this to the forefront of the risk and continuity professions - and the attention of those we seek to influence - is by asking risk, compliance, information security and business continuity practitioners to start speaking the same language. At a practical level scenario-based exercises which involve experts from across the spectrum of disciplines would be a good starting point. Perhaps we should spend less time rehearsing fire and flood and more time in discussing how to deal with “blended attacks” where cybercriminals, according to Cisco, “use physical means to access electronic information, and electronic information to compromise physical assets.” Maitland Hyslop suggests that scenarios in which the threats to information resources (i.e. threats which do not include physical attack) may be categorized both by the motivation and resourcing of the cybercriminal or another threat agent, and by the means of attack. The list is growing and includes: disaffected staff or contractors; recreational hackers; individuals seeking personal gain, e.g. through theft or extortion; agents of organized crime, competing commercial interests or issue groups. The types of IT attack include: denial of service; hacking or cracking, whether leading to systems damage or breach of confidentiality; malware - programs with covert malicious intent, including viruses, worms etc; malicious or inadvertent damage by insiders. Without the internet these attacks are difficult. But attacks have certain characteristics which explain their prevalence and impact. Internet attacks involve action at a distance – regardless of time zones – and in many cases crossing national borders. This set of conditions offers the cybercriminal a degree of anonymity and reduces the likelihood of being caught and punished. The opportunity for the GRC community lies in its ability to convey to its audiences a sense of the scale of the problem and what can be done about it: if necessary with the support of experts across the governance, risk and compliance community. Learning to speak the same language, converging ideas, integrating risk processes, sharing methodologies and collaborating with subject matter experts will lead us to a greater understanding of the cybercrime problem and what we can all do to help mitigate its effects. In these chastened financial times there is no better business case for a bit of collaboration! Note about the AuthorJames Royds FBCI is vice-chair of the Business Continuity Institute and a Director of Security Risk Management Ltd., where he is responsible for Business Development. He has been practicing in information assurance and business continuity for fourteen years and is a passionate advocate of collaboration across the GRC agenda. | 
