Wednesday, 24 January 2018

The Global Risks Landscape 2018

Towards the end of each year, we tend to come across several reports and white papers that discuss the cyber-threat predictions/concerns for the following year. However, I do believe that very few of these reports really attempt to dig deep when it comes to emerging Cyber related threats and really discuss future trends. 

I have had several discussions regarding the future of cyber risk exposure and how cyber risk assessments will start experiencing a significant shift in the following months. There is a bigger picture when it comes to cyber threats and cyber crime. It is not only how much a data breach or business disruption will cost, but at what scale it affects people's lives. This is the moment we need to take a step back and look at magnitude and implications. The main reasons why things should be expected to dramatically change in the Cyber front between 2018-2020, are briefly outlined below:

a) The General Data Protection Regulation (GDPR). GDPR has brought Information Security and Cyber Security into the boardroom as a discussion topic, "motivating" stakeholders to act upon the requirements before the regulation is finally in effect (25 May 2018). You should also consider that the disclosure of a breach needs to take place within 72 hours from the moment it was detected, the increased cost of responding to a data breach, and the fines imposed under GDPR.    
b) The number of Cyber attacks expected in 2018 and their impact, according to the Cyber Security Breaches Survey conducted for 2017. (FYI: The official Cyber Security Breaches Survey 2018 detailing business action on cyber security and the costs and impacts of cyber breaches and attacks will be publish in April 2018).
c) Now consider the domino effect when it comes to the scale and magnitude of the cyberattacks anticipated by 2020, in contrast with the current state of readiness of business entities and their dependencies across all industries. 

The recently published Global Risk Report by the World Economic Forum (www.weforum.org) has highlighted some very important facts regarding the risk perception for the year 2018. Cyberattacks are now perceived as a global risk of highest concern, especially to business leaders in advanced economies. Cyber is also viewed by the wider risk community as the risk most likely to intensify in 2018 according to the publish Global Risks Report

On the other hand, only one third of companies have prepared an incident response plan for a major cyberattack according to the research presented in the document. I am not surprised when I hear that decision maker have never heared of the Cyber Security Information Sharing Partnership (CiSP) initiative. (CiSP is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business)

Despite in which industry you are aligned with, the Impact/Likelihood quadrant above provides a good opportunity to place the global risk landscape into context and identify priority areas for action.

One of the four areas the report focuses in cybersecurity breaches. The other three areas are: environmental degradation, economic strains and geopolitical tensions, while highlighting the need to prepare for sudden and dramatic disruptions. 

One of the key takeaways from the Global Risk Report is that it makes a special effort to highlight the importance of CyberSecurity and Cyber Risk Exposure:

"Cybersecurity risks are also growing, both in their prevalence and in their disruptive potential. Attacks against businesses have almost doubled in five years, and incidents that would once have been considered extraordinary are becoming more and more commonplace. The financial impact of cybersecurity breaches is rising, and some of the largest costs in 2017 related to ransomware attacks, which accounted for 64% of all malicious emails. Notable examples included the WannaCry attack -which affected 300,000 computers across 150 countries- and NotPetya, which caused quarterly losses of US$300 million for a number of affected businesses. Another growing trend is the use of cyberattacks to target critical infrastructure and strategic industrial sectors, raising fears that, in a worst-case scenario, attackers could trigger a breakdown in the systems that keep societies functioning."

One of the elements I was expecting to be discussed in the report (at least a bit further if you take a look at page 33) as a imminent future trend is the use of (Cyber)Weapon of Mass Disruption (for both targeted and untargeted attacks). This is something I have looked into it in the past trying to identify the shift towards a far more passive-aggressive Fifth domain of Warfare, due to the exponential discovery of low-level (H/W) security vulnerabilities (and logic gate "backdoors", that you most probably most of you haven't heard of) and state-sponsored cyber security related research. The collateral damage of such behavior are most probably going to be different sectors which are full of either legacy technologies or new systems which have not been build with security in mind. Consider that it is expected to expand from an estimated 8.4 billion devices in 2017 to a projected 20.4 billion in 2020. 

Last but not least, the financial costs of cyberattacks seem to be rising. A 2017 study of 254 companies across seven countries put the annual cost of responding to cyberattacks at £11.7 million per company, a year-on-year increase of 27.4%. The cost of cybercrime to businesses over the next five years is expected to be US$8 trillion.

No comments:

Post a Comment