In the rapidly expanding domain of global cyber security breaches, 2017 set a new bar for computer network attacks, writes John Daly.
From major corporate incursions to state-sponsored violations across the globe, the year introduced the public to a new lexicon of electronic criminality known variously as Cloudbleed, Shadowbrokers, WannaCry, NotPetya, BadRabbit and MongoDB.
The simple fact is that exposure to risks from cyber attacks will continue to grow as the world becomes ever more dependent on technology. As the relentless growth of interconnected devices continues to expand, so too does the opportunity for cyberattacks upon organisations and individuals. Given that the number of interconnected devices in the world is expected to jump from the current nine billion to 21 billion by 2020, the prospect of further disruption has now become a grim reality of the modern age.
“Numerous cities around the world have adopted internet of things devices to improve infrastructure, public utilities and services, but at what cost?,” asks Joel Aleburu, cyber security analyst at Dublin-based IT security firm Smarttech247.
“The smarter the city, the more integration between computer systems, and the more open the access to the data collected by all those systems against a wide range of cyber threats,” he said. Previous examples of smart city devices being compromised includes the attack on San Francisco’s public transportation system, where ticket machines were locked down until a ransom demand was resolved; a hacked siren system in Dallas which jarred residents awake and flooded emergency numbers with thousands of calls; a partial blackout of Kiev, Ukraine; and a digitally hijacked tram system in Poland that derailed four vehicles and injured 12.
When one totals the cost of the major natural disasters across the globe in 2017 the financial cost was about €300bn, while the annual economic cost of cybercrime is now estimated at €1tr.
The list of disasters includes Hurricanes Harvey and Irma in the US, an earthquake in Mexico, flooding in Sierra Leone, monsoon destruction in Bangladesh and landslides in Columbia,
“Companies in ‘at risk’ areas often have rigorously developed response plans for extreme weather events, whereas this is rarely the case for cyber attacks,” John Drzik, head of Marsh global risk and digital.
Living in a data-driven world also dictates that there is more risk personal information will be stolen. “A key challenge of this brave new data economy is how we maximise the benefits while minimising the risks,” said IBM chief executive Ginni Rometty at a recent conference.
The National Cyber Security Centre, formed in 2011 and responsible for overseeing the security of government IT and critical national infrastructures, deals regularly with cyber threats on state bodies.
“We have seen incidents in Ukraine and elsewhere where electricity grids were taken down, TV lines taken off air in France and banks taken offline. Nato declared cyber as the fifth domain of warfare, meaning it would actually take it as an act of war. This is a live environment and it’s not getting any quieter,”said a spokesman at a recent briefing.
The Security of Network and Information Systems Directive, due to become law in EU states in May marks a step change in cybersecurity to a legally binding regulatory system for critical infrastructure operators and digital service companies.
Key firms and utilities will be bound with binding security and incident-reporting requirements if they are attacked or have serious security incidents. However, in the PwC Global State of Information Security Survey 2018, almost half the corporate respondents admitted they do not have an employee security awareness training programme. And 54% did not have an incident response process.
“Many organisations need to evaluate their digital risk and focus on building resilience for the inevitable,” said Sean Joyce, PwC’s US cybersecurity leader.