The year 2020 has been a wake-up call for any businesses still lagging behind the digital curve. As hundreds of millions find themselves working from home, in the unprecedented circumstances prompted by the COVID-19 crisis, cyber security measures have been stretched to the limit and criminals have spied opportunities.
While many businesses had already seized the opportunities unlocked by digital transformation – Artificial Intelligence (AI), Fifth generation wireless mobile networks (5G) and the ever-increasing availability of cheap computing power – they are not the only ones reaping the dividends.
Cybercriminals are leveraging the same technology to their own nefarious ends – be they cyber-attacks, data fraud, theft or all of the above.
Cyber-attacks on critical infrastructure have affected sectors such as energy, healthcare and transportation. Meanwhile, the near-universal shift of organizations to an ecosystem model – intricate partnerships and lengthy supply chains, enabled by cloud computing – has placed both public and private sectors at heightened risk of being held hostage by cybercriminals.
“If we look at COVID-19, the coronavirus, there are strong similarities,” says Philipp Hurni, Cyber Risk Engineering Global Practice Leader at Zurich Insurance Group.
“You need to be aware that it's out there and to have a specific hygiene to prevent yourself from catching it. And if you have contracted it how do you remedy it and how do you recover? It's absolutely the same as the way ransomware is being spread out - as we've seen with WannaCry and NotPetya - in that that there's a wide range that you need to be aware of in order to tackle it.”
Besides the pandemic which has turned life on its head this year, there are further parallels between traditional risks – such as fire and flood – and the way ransomware affects businesses.
“Companies have their fire insurance and liability insurance, and cyber insurance needs to stand directly next to that because these things can be truly catastrophic for your business,” adds Hurni.
“Everybody knows that a factory burning down means a big loss because it disrupts business production. But not every executive has understood that cyber issues can be even more disastrous because they can affect many different locations at once.
“And the threat from cybercrime is in many ways even greater because it is constantly evolving. Fire and flood don't care if they cause damage or not, whereas if a cybercriminal is not successful, they will adapt and come back again and again with different techniques.”
Yet sticking with traditional legacy models of information technology (IT) – developed in-house and more easily sheltered from external risk – is no longer viable for a modern business. More than 75 per cent of business leaders believe that ecosystems will be the main disruptor of business models over the next five years.
The risk can be successfully managed, however. The starting point is to acknowledge that each business now has a large “information technology dependency factor”. This includes the cloud providers on which business applications are running, outsourced business functions such as HR management tools or payment processors and the increasingly IT-driven, automated physical supply chain of raw materials and parts.
While the danger posed by this brave new digital world is real and demonstrable, it has been a “creeping” risk, increasing year by year with more and more steps of the value chain becoming digital, and most companies have rarely been fully aware of the increasing cyber risk and hence have neglected to take countermeasures.
“This needs to change,” adds Hurni. “Firstly, you need to put a formal framework and dedicated resources in place to identify and manage the risk. You also need to build a digital literacy culture within your business and supply chain, so everybody understands how digital risk to ecosystems works.
“You have to educate on a continuous basis because the cybercriminals are becoming social engineering experts, spying on entire ecosystems and then breaking into an organization to launch an even bigger attack.
“Even so, some people will still click on a malware link and infect their machine. So there needs to be a system of constant monitoring, with people and processes in place to detect breaches and swiftly react – because you can contain the severity of a cyber-attack drastically by swift response and recovery.”
The same level of vigilance is required across the ecosystem, with measures taken to ensure suppliers and partners maintain good “digital hygiene” of their own.
This ongoing tension between businesses and cybercriminals is only going to escalate. Ransomware attacks – easily the biggest cyber threat today – increased by 41 per cent last year. Yet the likelihood being convicted of such crimes is vanishingly low.
And far from being the preserve of highly intelligent and educated computer experts, this form of organized crime is open to anyone.
“Years ago you needed to have a pretty thorough understanding of information technology in order to carry out cyber-attacks,’ says Oliver Delvos, Zurich’s Global Cyber Underwriting Manager. “But these days criminals can outsource ransomware as a service the same way legitimate businesses use Software as a Service (SaaS).
“Professionals in the cybercrime-business will deal with a lot of individual tasks needed to carry out a cyber-attack, providing the malware and lists of potential victims. A criminal ecosystem has been created with vastly improved quality and professionalism and because payment is made with cryptocurrencies, the criminals can remain completely anonymous.
“You barely need any expertise or knowledge to be a successful cybercriminal – you can basically stand on the shoulders of others and use the tools provided by them.”
This is only the beginning. The Global Risks Report 2020, produced by the World Economic Forum in collaboration with Zurich, ranks cyber-attacks as the second most concerning risk for global businesses over the next decade.
Already today, we see artificial intelligence methods applied in cyber-attack techniques – but they are still their infancy. In the coming decade, these technologies will mature, and the development of quantum computing might enable cybercriminals to break most of today’s state of the art encryption in the not too distant future. Hence, it is clear that the cyber problem will only become more complex and challenging. The time to take action and put in place a comprehensive counter-plan is well and truly upon us.
- Cyber risk is greater than ever – and growing exponentially
- Digital transformation is a force for both good and bad
- Many businesses underestimate cyber risk
- Countermeasures need to be comprehensive, multi-faceted and backed with funding and support from board level