Digital technologies have become a critical enabler for economic growth and societies now place heavy reliance on the internet. The digital world has brought not only enormous benefits, but with these benefits also come significant vulnerabilities. Cybersecurity incidents are increasing at an alarming rate and are impacting on societal norms, essential services, and organizational welfare. The rate of cyber crimes has grown exponentially and is consistent with the expansion and evolution of technology.
The proliferation of cyber attacks is causing widespread damage to companies, governments, and individuals. Cyber-attacks range from denial of service attacks, website defacements, to access to sensitive information and attacks on critical infrastructure. The recent WannaCry malware incident affected many, affecting over 230,000 computers in over 150 countries in the span of a day. WannaCry targeted computers running Microsoft Windows by encrypting data and demanding ransom payments in Bitcoin cryptocurrency. Large organizations with presumably good cyber security were affected – among them, the United Kingdom’s National Health Service (NHS), Spain’s Telefónica, FedEx and Deutsche Bahn were affected. A particularly high profile incident that arguably had an impact on the recent election campaign, was Hillary Clinton’s private emails becoming front-page news in the midst of her presidential campaign.
The ever-increasing number of cyber attacks are costing organizations large amounts of money to address and prevent them. However, the delay in operations and the potential domino effect it will have on their customers could cost the company much more in money and reputation. It isn’t just the number of cyber security attacks that is increasing. The degree of these attacks is on the rise as well. PwC reported that these attacks are “becoming progressively destructive and target a broadening array of information and attack vectors.”
Digitization is quickly increasing the impact that these cyber attacks can have and the channels in which they propagate. With the expanding number of services available online, businesses are particularly vulnerable to increasingly sophisticated attacks. An example is a vulnerability as a result of the trend toward migrating data to the cloud. A publication by White & Case outlines some of the vulnerabilities as a result. The migration of data to third-party cloud providers creates a centralization of data – this creates more opportunities for misappropriation of stolen data from a single attack. Similarly, the emphasis on mobile services has opened up corporate systems to more users, exposing sensitive data that can have regulatory, reputational, and financial impacts. With the boundaries between digital and physical realms being increasingly blurred – particularly so with the evolution of the Internet of Things, the possibility that appliances and physical objects we interact with every day can be compromised. Hackers can exploit these devices to conduct data breaches, corporate or government espionage, and damage critical infrastructure like electrical grids.
With US federal agencies and other governmental agencies around the world under pressure to increase their levels of security to defend against crippling cyber attacks, businesses are expected to follow suit when regulatory pressure increases in response to increasing public awareness. Governments are already tightening regulation to ensure businesses take greater responsibility to prevent and detect cyber security breaches, for examples through tackling malicious VPN use. In the United States alone, 47 states have laws requiring breaches that result in the theft of customer data. A key policy that governs this area in the United States is the Data Security and Breach Notification Act of 2015, a companion to the Consumer Privacy Bill of Rights Act of 2015 that governs the collection and dissemination of consumer data. The European Union have also introduced similar regulations.
“Similar to other compliance areas, board directors can be held liable for not discharging their duty to prevent harm to the corporation. In performing their oversight role, directors should stay informed about the corporation’s cyber security defenses. They must ask what the risks are and determine what needs to be done to mitigate them. In today’s connected world, it is, unfortunately, becoming a question of ‘when’ rather than ‘if’ some sort of data breach will occur.” Detev Gabel, a partner at White & Case in Frankfurt and leader of the Firm’s Data, Privacy and Cyber Security Group.
New technologies and services such as dual authentication, phishing detection, and advanced encryption improve the defence against current threats. However, as these have become widespread, cyber criminals will look to shift their focus to other unidentified vulnerabilities. While the focus has predominantly been on purchasing and deploying technical controls, a risk culture around cyber security is key to fortifying cybersecurity in the organisation. A strong risk culture enables the organization to actively identify and prevent threats. Cybersecurity culture is defined by Rod Turk (Director of Ofefice of Cybersecurity) as “making sure that users — top to bottom, right to left — [are] keeping cyber security in their thought process no matter what they’re doing in the IT world”. Organizations need to ensure focus on individual responsibility and spread awareness of the role that each individual employee plays in ensuring that the organization is protected against cyber attacks. They need to address the need to educate employees on how the cyber security dots are connected to the organization’s ability to achieve its business objectives and avoid financial loss, regulatory implications, and reputational impacts.
Cyber crime is a threat to all organisations – it is up to business leaders to recognise the potential threat to ensure that their organisation is adequately prepared and protected from the risks associated with it.