The drivers of the cyber-risk explosion

Risk Management22 Sep 2023

Gary Lynam at Protecht considers how much riskier the rising levels of cyber-crime can get

It’s clear that the likelihood, impact and velocity of cyber-risk is increasing, which means that the likelihood of a cyber-event is also rising.

It’s no surprise then that cyber-security has become a serious enterprise-wide risk management issue that needs to be strategically and operationally addressed. Cyber-security has previously been largely viewed as a technical issue that was the responsibility of the IT department, but the cyber-risk frontiers have changed and multiplied exponentially.

According to the UK Government, there were approximately 2.39 million instances of cyber-crime in the last 12 months. The Government estimates that average annual cost of cyber-crime for businesses is approximately £15,300 per victim.

With regulators and insurance firms insisting organisations elevate their cyber and operational resilience or face the consequences, getting to grips with the day-to-day management of cyber- and information-security risks should be viewed as a mission critical priority.

Factors contributing to cyber risk threat

The impact of a cyber-event on an organisation is forever increasing from both a tangible (financial) perspective and an intangible (reputation and brand) perspective. This includes regulators paying more attention to cyber-events, including the potential for fines. The velocity is forever increasing as cyber-attack methods are very fast in creating damage once intrusion has occurred, particularly spreading into what can be vast webs of interconnected systems.

IBM also highlights the disruptive consequences of cyber-attacks for productivity and workflows; IBM’s research reveals it typically takes organisations an average of 280 days to recover from a cyber-event.

Encompassing a wide range of threats that include data breaches, identity theft, financial fraud and disruptive cyber-attacks designed to cripple critical infrastructure, cyber-crime has become an increasingly commoditised industry that is proving highly lucrative for today’s threat actors.

Working alone or in collaboration with other attackers or as part of an organised criminal group, they are taking advantage of the rapid evolution technology and the increased convergence and interconnectivity of today’s digitalised environments to perpetrate attacks anywhere in the world.

The professional and personal risks for cyber-attackers are low. Adept at using software and proxy servers to hide their identity and evade detection or prosecution, the financial rewards on offer are proving a significant inducement to engage in these types of activities.

How risk is evolving

The proliferation of connected devices, the growth of remote working, and the shift to online service delivery has created a perfect storm for organisations looking to keep their systems, their people and their data secure. Especially when crime facilitators now provide a variety of cyber-crime-as-a-service offerings that make it easy to rent malware, launch DoS attacks or conduct phishing campaigns.

In addition to hardening system protections against an ever-changing threat landscape, organisations also need to ensure that users and customers are familiar with what constitutes safe online behaviours. No easy task when the emergence of generative AI tools has lowered the barrier to entry for those with malicious intent who may previously have lacked the skills to act.

Open AI tools like ChatGPT has raised significant concerns that hackers with limited technical skills are now able to write malicious code with ease, make phishing emails appear legitimate, and even clone people’s voices or images to take social engineering attacks to a new level.

Check Point Research (CPR) reveals that hackers are already using Open AI tools like ChatGPT to create their own versions of the text-generating technology for malicious purposes and indicate it is “only a matter of time until more sophisticated threat actors enhance the way they use AI-based tools for bad.”

The many faces of cyber-adversaries

Organisations also need to be aware of the different types of threat actors and the different methods they use to achieve their goals.

Therefore, an organisation’s cyber-risk assessments must determine which groups are most likely to target its systems and data. That includes evaluating risk by association, as threat actors may target one organisation’s information systems to gain access to another’s environment.

What type of threat actor could be knocking at your door? Below are some examples, including their approach techniques.

Organised crime – these financially motivated syndicates typically come knocking after a successful ransomware attack to request a ransom payment or look to sell the data they’ve captured. Others may covertly hijack an organisation’s systems to mine for cryptocurrency.
Thrill seekers – intent on overcoming cyber-defences just to see if ‘they can’, thrill seekers usually knock something over for fun, recognition or bragging rights but still represent a serious threat.
Idealogues – motivated by social or political causes, these so called ‘hacktivists’ like to use techniques that will get their message heard. This may take the form of denying access to services or defacing websites.
Insiders – this group includes malicious insiders or disgruntled employees who have a specific intent. A particular threat for certain sectors such as government, defence or critical infrastructure providers.
Nation state – government sponsored groups that are looking to capture government data, private sector IP or monitor financial markets by stealth. In times of geopolitical tension, they may attempt to overtly disrupt infrastructure and services.

Placing the emphasis on operational resilience

Being able to map and understand an organisation’s cyber-risk profile and compliance responsibilities in relation to specific regulations is not just the responsibility of IT teams but also leadership teams in today’s modern organisations.

Organisation-wide control and reporting mechanisms will need to be in place to ensure operational resilience is monitored, incident response is elevated, and there is an understanding of the resources needed to prevent, withstand and recover from an attack. That includes evaluating supply chains and any third-party services on which the organisation depends.

UK Operational Resilience regulation places strong emphasis on third party risk management. In the UK and the EU, regulatory changes for the financial sector place strong emphasis on third-party risk management that cannot be ignored.

The Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have set out potential measures to strengthen and ensure that financial services firms are accountable for the resilience of services provided by critical third parties (CTPs). Similarly, the EU’s Digital Operational Resilience Act (DORA) is enforcing obligatory rules for third-party risk management, with accountability at a senior management level.

Cyber-risk management is becoming increasingly interconnected with a broader risk and resilience strategy, and it’s a reality that organisations can no longer afford to ignore. They will need to be confident they can demonstrate to regulators their operational resilience and business continuity capabilities.

Gary Lynam is Director of ERM Advisory at Protecht

Main image courtesy of iStockPhoto.com