Skip to Main Content
Have library access? Log in through your library
Cyber Risks for Business Professionals

Cyber Risks for Business Professionals: A Management Guide

Copyright Date: 2010
Published by: IT Governance Publishing
Pages: 305
  • Cite this Item
  • Book Info
    Cyber Risks for Business Professionals
    Book Description:

    Cyber Risks for Business Professionals: A Management Guide is a general guide to the origins of cyber risks and to developing suitable strategies for their management. It provides a breakdown of the main risks involved and shows you how to manage them. Covering the relevant legislation on information security and data protection, the author combines his legal expertise with a solid, practical grasp of the latest developments in IT to offer a comprehensive overview of a highly complex subject. Drawing on interviews with experts from Clifford Chance, Capgemini and Morgan Stanley amongst others, the book examines the operational and technological risks alongside the legal and compliance issues. This book will be invaluable to lawyers and accountants, as well as to company directors and business professionals. It explores the security complications that have arisen as a result of the use of laptop computers and memory sticks for remote working and other topics covered include PCI DSS (payment card industry data security standard), Cloud Computing and employee use of social networking sites.

    eISBN: 978-1-84928-093-8
    Subjects: Technology

Table of Contents

  1. Front Matter
    (pp. 1-4)
    (pp. 5-5)

    This book is an update of my previous publication on the subjectManaging Cyber Risks, 2002, which addressed the subject from the perspective of law firms only. Some notable developments have occurred since then and I hope I have included those of greatest importance.

    Included in this edition, for instance, are references to relevant provisions of the Companies Act 2006; Provision of Services Regulations 2009; Rome II Regulation No 864/2007; Digital Economy Act 2010; Equality Act 2010; and the Employment Practices Code 2005.

    New areas covered include: wireless networks; identity and access management; Cloud Computing and IT outsourcing; corporate, IT...

    (pp. 6-6)
    (pp. 7-7)
    (pp. 8-8)
  6. Table of Contents
    (pp. 9-11)
  7. Part 1 Identifying Cyber Risks

      (pp. 13-37)

      Only a few years ago, the Internet was a relatively new phenomenon. E-mail and interactive websites offered the prospect of a radical shift from traditional business models to transactions almost exclusively conducted electronically.

      To a great extent, this prospect has arrived. Wherever possible, organisations are seizing the opportunity to: market themselves through websites as opposed to conventional brochures; employ e-mail as a core business communication tool instead of traditional post; and supply goods and services electronically without the need for the physical presence of the consumer. The development and rapid expansion of businesses using the Amazon ( model is testimony...

      (pp. 38-60)

      There are numerous consequences of mismanaging Internet risks. Missed business and professional opportunities, failure to capitalise on the potential for developing business opportunities, and an inability to compete adequately for market share are all potentially incidental consequences. Consumers and clients need confidence that organisations deploy, manage and operate Internet technologies with the skill, care and expertise that offer assurance of good practice in the conduct of their business.

      Technology risks arise from the deployment, use and operation of technology systems. Typical technology risks arise from insecure messaging systems and inadequate security in the management of data; insufficient business continuity and...

      (pp. 61-76)

      Legal compliance risks arise from failure to comply with legislative, regulatory and codified (for example, professional and business codes of practice) provisions governing the supply of particular goods and services. Typical instances include infringement of: applicable laws and codes in foreign jurisdictions; domestic and foreign advertising regulations and codes of practice; provisions governing the handling of personal data; provisions relating to the protection of consumers; and general legal provisions, such as defamation or harassment. They are referred to as legal compliance risks because they arise primarily from infringement of the law.

      Legal and compliance issues arise from the use of...

      (pp. 77-84)

      Operational risks arise from failure to manage employees’ use of Internet technologies adequately. Typical instances include: abuse of e-mail facilities through unauthorised use in the workplace; accessing and downloading inappropriate material from websites; failing to accept delegated responsibility for managing the organisation’s website; and inadequate delivery of the organisation’s electronic services. They are referred to as operational risks because they arise from some failure of the operational functions of the organisation, principally the failure to manage employees, so that they recognise and accept their responsibilities when using Internet technologies.

      Operational risks arise from business practice. They concern employees’ professional and...

  8. Part 2 Risk Management Strategies

      (pp. 86-108)

      In many respects, the identification of cyber risks is a relatively straightforward task. Almost all Internet risks spring from one or more of three sources:

      variable reliability and application of technology;

      uncertainty surrounding legal and regulatory compliance issues;

      problematic behaviour of personnel in employing and operating Internet technologies.

      These types of concern tend not to arise so critically in traditional business and professional environments where procedures are well established, codes and protocols govern business and professional conduct, and models and channels for providing goods and services are conventional.

      Internet technologies are disruptive. They introduce new models for the provision of...

      (pp. 109-123)

      Effectively managing cyber risks requires an understanding of how to assess the impact of risk. A strategy for the management of a risk should correspond with the nature and degree of the risk to be addressed. Risk assessment tries to identify and anticipate possible events. Effective risk assessment offers an organisation the opportunity to take greater control of its internal and external environment. Instead of reacting to events, the organisation with an effective risk assessment and management strategy can plan and direct its actions with greater confidence that it will not be undermined by unforeseen events.

      Risk assessment involves certain...

      (pp. 124-159)

      The importance of risk management in the commercial sector was recognised in the Turnbull Report produced by the Institute of Chartered Accountants (, the recommendations of which became mandatory in December 2000. Broadly, the provisions state that:

      Risk management is the responsibility of the whole Board of Directors.

      Organisations should have a system of controls to protect shareholder and company assets.

      The controls should be reviewed at least annually.

      Risks should be regularly assessed and include risk management and financial, operational and compliance risks.

      The key principles of corporate, IT and project governance were explored in Chapter 5. Effective risk...

  9. Part 3 Cyber Risk Solutions

      (pp. 161-211)

      Chapter 2 identified the key IT risks arising from the use of Internet technologies. This chapter considers how these risks can be addressed through the implementation of certain IT solutions. The categories of technology considered are:


      information and data;

      business continuity and disaster recovery;


      identity and access management;

      outsourced IT;

      Web 2.0.

      The principal technology solution for securing electronic communications is the application of cryptography, which is a technique employed for the concealment of the content of communications.

      The method of cryptography employed within electronic communications is encryption. Currently, the two most common drivers for the encryption of...

      (pp. 212-262)

      This chapter considers key legal and regulatory provisions relevant to the use of Internet technologies for providing advice and services. A wide range of legal compliance provisions applies and they are categorised for easier reference and understanding:

      Website management: identifies provisions for consideration when using websites to provide information and advertise services.

      Clients and services: identify specific legislative and regulatory provisions governing the use of the Internet to provide services to clients.

      Jurisdiction and applicable laws: considers provisions governing the supply of legal services involving foreign jurisdictions.

      Internet abuse: identifies legislation that governs certain types of Internet activity that might...

      (pp. 263-286)

      An organisation might employ the most sophisticated technology and develop meticulous compliance procedures, but exposure to Internet risks will remain inadequately addressed, unless operational use of Internet technologies is effectively managed. The types of operational risk that might arise were discussed in Chapter 4.

      Operational controls help to protect directors, partners, personnel and the organisation as a whole from exposure to liability, while at the same time helping to identify any steps to minimise the impact of risks. Controls define the organisation’s expectations of the use of Internet technologies. Without a policy defining their acceptable and unacceptable use, an organisation...

      (pp. 287-302)

      The fundamental changes to the way in which professional services can be delivered through the Internet were described in Chapter 1. They introduce a new business model where the focus is on providing value-added services to clients, and the professional charges according to the value of services, rather than time spent.

      The Internet also introduces new types of risk requiring a new approach. These risks affect all areas of an organisation at all levels. The rapid pace of change in Internet technologies means new risks are constantly evolving and, therefore, need constant control, management, monitoring, audit and review. The introduction...

    (pp. 303-305)