Cyberattacks have been widespread, common, and even expected now at firms worldwide. Many companies have been affected by cyber hacking, ransomware and threats, with reports emerging almost weekly about new attacks. It is now acceptable to be worrying about cybersecurity at a priority level, and if you aren’t, well you should be.
Finance Monthly, in this week’s Your Thoughts, asks what might be the long-term impact of cybersecurity attacks and similar cyber damage, not just to the individual firms and their pockets and operations, but to the markets they trade in, the economy of the countries they reside, and the overall global fluidity of markets.
Our guests this week answer questions such as: What are cyberattacks, the effects and impacts, doing to markets, the economy and our countries? How is trade affected in certain sectors? Do you have stats to show this? How do you think companies will react to cyber threats?
Dr Benjamin Silverstone, course leader for computing and quantitative business, Arden University:
The recent ransomware attacks have very publicly demonstrated vulnerabilities in business IT security. Firstly, the direct impact is that the business infrastructure is affected. Companies can be left unable to process orders, causing their operations to shut down, which directly affects their finances along with those of stakeholders. This leads to a second impact on business; consumer confidence.
A number of cyber-attacks in recent years have focused on obtaining personal details of customers and, where possible, defrauding them by pretending to be a familiar company. Rather than blaming the faceless cyber-criminals, consumers will increasingly turn to the company that is being impersonated to ask how this sort of thing could happen in the first place. The readiness to share details online, even with legitimate companies, is being affected and this will damage their business in the long term.
Ultimately, businesses need to consider the cost/benefit of investing in better security systems and changes in practice, to reduce the impact on their business-critical processes. Investment in these approaches may be seen as disproportionately high given the likely impact of an attack; but as we’ve seen successful attacks can, and do, negatively impact reputation in significant ways, and it is these intangibles that are hard to regain. Rather than an expense, improving security should be viewed as an investment, and insurance against brand damage to help ensure future longevity.
Oz Alashe, CEO, CybSafe:
When WannaCry struck in May, shares in cybersecurity and anti-virus companies surged. Once bitten, twice shy is the old adage, and being crippled by a cyber-attack makes for an uncomfortable AGM. The logical outcome from a global cyberattack is that companies invest in the latest cyber technology to prevent themselves being the next victim.
However, cyberattacks cover many facets. It can also include embarrassing phishing attacks that pranked the Morgan Stanley CEO, James Gormley, and the Bank of England’s Mark Carney recently. Phishing, albeit only one attack vector available to cyber criminals, is particularly noteworthy at present. A recent government survey suggested three-quarters of medium to large businesses in the UK had discovered at least one cybersecurity breach or attack, and a vast majority of these attacks were phishing emails or websites. The report also stated that a “sizeable proportion” of businesses didn’t have “basic protections” in place.
The National Crime Agency recently said that “many businesses failed to report attacks for fear of damaging their reputation.”
One of the biggest phishing incidents in recent history affected Google and Facebook, which both were scammed out of over $100 million in a sophisticated attack. This is concerning because it affects the supply chain and trade relationships. Trade is driven by trust, and if you can’t trust who you are trading with, it undermines the relationship.
What is the answer? Build trust; if you can equip staff with the skills to detect and prevent phishing and other cybercrime attempts you can empower everyone to be the first line of defence for cyberattacks.
Inga Beale, CEO, Lloyd’s:
Cyber-crime already costs an estimated $450 billion a year, and that figure is going to rise as more and more devices are connected to the internet and the sophistication of attackers grows.
This is having – and will continue to have – a huge impact on businesses. Lloyd’s new report on cyber risk, ‘Closing the Gap’, produced in association with KPMG and legal firm DAC Beachcroft, shows that as well as the immediate costs caused by cyber-attacks, slow-burn costs such as, litigation, loss of competitive edge and reputational damage can substantially increase the final bill. In today’s multi-media world, it can be the reputational fallout from a cyberbreach that kills modern businesses.
At the same time, more stringent regulations are being put in place, such as the EU’s General Data Protection Regulation – or GDPR – that will increase the penalty for companies that fail to protect European data from cyber threats. When this comes into force in 2018, the courts will be able to fine companies up to EUR20m or 4% of global turnover, whichever is higher, if they fail to comply with the new rules.
Despite these growing implications, it’s clear that many businesses are not facing cyber risk head-on. Recent Lloyd’s research shows that while 92% of respondents said their company had suffered a data breach in the past five years, only 42% are worried about suffering another breach in the future.
Nicola Whiting, COO, Titania:
The annual cost of cybercrime to the global economy is estimated to be between $375 billion and $575 billion (Mcafee, Net Losses – Estimating the global cost of cybercrime, June 2014) . Unsurprisingly the richest countries are hit hardest, with G20 nations suffering the bulk of losses. Low-income countries currently have smaller losses, partly due to their infrastructure and reliance on mobile Internet. However, this may change as richer countries continue to invest more in their cyber security and as criminals find new ways to exploit mobile platforms.
The impact on countries is just as important when it comes to international relations. Just look at the hack of the Democratic party and the publication of confidential emails during the 2016 US presidential election, which elevated cyber security in the context of international affairs to a new level around the world.
Hackers will target any industry they can profit from, thus is highlighted by the wide range of nations and industries impacted by the ransomware attack last month. Aside from any financial loss the biggest impact can be on reputation and share price.
However, analysis shows that some sectors are potentially more at risk than others. For example, according to PricewaterhouseCoopers’ 2014 Global Economic Crime Survey, 39% of financial sector respondents said they had been victims of cyber-crime, compared with only 17% in other industries. Other research from Trend Micro assessed breaches that took place between 2005 and 2015 and showed health care as the most highly targeted industry for data breaches.
Any industry that stores customer information, such as credit card details, is a potential target. In 2015 Hilton Hotels, Starwood Hotels & Resorts, Mandarin Oriental and the Trump Collection all admitted that their payments systems had been compromised. Hilton and Starwood said guests’ personal details had been taken after hackers gained access via payment systems. Hackers may have turned their attention to hotels after retailers began improving their security following a series of high-profile attacks on US chains in late 2013 and 2014, including breaches at Target and Home Depot. So any business that handles or stores sensitive data is at risk and once one sector builds its defences hackers will target another one they perceive to be weaker.
Most companies are not doing enough to secure the assets they’re creating. Large organisations can have incredibly complex networks and ‘border control’ issues as they can struggle to secure their IT infrastructure & supply chain. Smaller organisations find it easier to understand where their system borders are, but may lack resource and expertise to secure them.
In both there is inevitably more to be done in two key areas; reducing ‘human errors’ through security training and ensuring the ‘security basics’ are followed. The number of costly breaches that occur through basic training and security failures is astonishing – most of which could’ve been averted.
We’ve worked with everyone from the Department of Defence to small SME’s in creating tools to automate these security basics. Security automation is something all businesses should look at, humans beings make mistakes and when that inevitable ‘wrong click’ happens, it’s your next line of defence.
Patrick Martin, Cyber Security Specialist, RepKnight:
According to Forbes, Financial Services are in the Top-5 targeted by cyber-crime. This is borne out by the huge amount of data relating to the financial sector on the dark web. We put some of the UK’s leading financial services companies into BreachAlert, our software tool for searching and monitoring the dark web, and uncovered over 5,000 results. Each find contains thousands of pieces of information about financial services — most are as a result of a data breach one way or another.
Right now, cyber-criminals and bad actors are busy stealing data from within corporate networks and listing it for sale on the dark web. Most organisations neither know about it nor are they equipped to detect or do anything about it. Employee names, addresses, logins, and corporate credit card information is readily available, and companies carry on completely unaware of any illegal activity.
According to the 2017 IBM Ponemon report this year’s study suggests the global average cost of a data breach is down 10% over previous years to $3.62 million, due in large part to a strong US dollar. In the UK they assess £2.48 million to be the average total cost of a data breach. In addition, victims can suffer 5% drop in average stock price the day a breach is announced; 7% loss of customers and 31% of consumers discontinue the relationship. But things are about to get much worse next year when the EU enforces the General Data Protection Regulation (GDPR) with costs for organisations that suffer a data breach to be £20 million or 4% of their annual turnover, whatever figure is higher.
For most businesses, it can be next to impossible to find out if its information is on the dark web. So what can businesses can do to protect themselves? The key is for all businesses is to improve their understanding of how the dark web works, how criminals are using it to buy and sell their data and to put a plan in place to mitigate the damage once their data has been posted on the dark web.
The trick lies in acquiring advanced automated search technology and innovative data management processes. It’s vital for businesses to invest in this type of software that can monitor hundreds of dark web pages and filter and extract information based on things like card numbers and domain names. It’s even more essential to use software which can instantly alert you when your data is being shared or discussed on the dark web. The good news is that this type of software is already on the market and investing in it can save your business from receiving hefty fines from GDPR.
Pascal Geenens, EMEA security evangelist, Radware:
Today there are vibrant online marketplaces where just about anyone—even those with very limited technical knowhow—can buy tools to execute an attack. Cryptographic currencies enable untraceable digital payments, while old-fashioned economics is driving the growth of these marketplaces. Demand for services now outpaces supply, and DDoS-as-a-Service providers can bring in more than $100,000 annually.
Purchasing an attack can be surprisingly inexpensive. On the Clearnet, for as little as $19.99 a month, an attacker can run 20-minute bursts for 30 days utilising a number of attack vectors like DNS, SNMP, SYN and slow GET/POST application-layer DoS attacks. All an attacker has to do is create an account, select a plan, pay in Bitcoin and access the attack hub to target the victim by port, time and method. More advanced and larger botnets are also available for sale on the Darknet.
The motivation for people to pay for such attacks has different drivers, but profit is the most prevailing through the use of Ransom DDoS attack campaigns. The responses from nearly 600 enterprises world-wide confirm this through Radware’s annual ERT report: Ransom is the #1 motivation for cyber-attacks suffered by the respondents: 41% global average, 49% in Europe (half of the businesses!).
Recent trends such as cloud migration, digital transformation, automation (IoT, IoE) and serverless computing increase the number of targets for cyber-attacks. As our economies are becoming more dependent on these online technologies and dark marketplaces, dark marketplaces and economies will thrive on the potential of ransom DoS.
We would also love to hear more of Your Thoughts on this, so feel free to comment below and tell us what you think!