Vulnerabilities / Threats

1/15/2019
10:30 AM
Marc Wilczek
Marc Wilczek
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail vvv
50%
50%

Why Cyberattacks Are the No. 1 Risk

The paradigm shift toward always-on IT requires business leaders to rethink their defense strategy.

With the world going digital, the dependence on the availability of IT infrastructure keeps exponentially growing, and many people don't comprehend the true scope of the implications. The recent cyberattack on the Los Angeles Times is a prominent example, disrupting the delivery of the Los Angeles Times and Tribune newspapers across the entire US. And in May 2018, a number of distributed-denial-of-service (DDoS) attacks were launched targeting the Netherlands, affecting and temporarily shutting down the online banking of three of the country's largest financial institutions.

Thanks to the emergence of the darknet, cybercrime has become widely accessible and procurable, blurring the lines between legitimate e-commerce and illicit trade. In the Netherlands, an 18-year-old man was arrested in connection with the DDoS attacks who apparently hired a cybercriminal through one of the various marketplaces in the darknet and who "wanted to show that a teenager can simply crash all banks" with a few clicks — unfortunately, he was right.

Society Is More Vulnerable to Cyberthreats
Indeed, society has become much more vulnerable to such attacks. The World Economic Forum (WEF) says business leaders in advanced economies see cyberattacks as their single biggest threat, even more so than terrorist attacks (No. 2), an asset bubble (No. 3), a new financial crisis (No. 4), or failure to adapt to climate change (No. 5).

This is no surprise because the business risks associated with cybercrime are growing along with companies' ever-increasing dependence on technology. Moreover, the massive growth in the use of smart devices has opened up a universe of new ways for cybercriminals to launch attacks through large-scale botnets. By 2025, the number of smart devices in the world is projected to exceed 75 billion, outnumbering the global population by a factor of 10. Meanwhile, geopolitical rivalries are engendering larger and more sophisticated cyberattacks by smart, well-resourced IT teams with generous state backing. Particularly, large organizations need to take into account a whole range of cyber threats — including business interruption, theft, and extortion — reputational damage, economic espionage, and the infiltration of critical infrastructure and services. The evolving threat landscape combined with a mixture of highly sophisticated adversaries makes cyber-risk very challenging to manage.

An Under-Resourced Risk
Awareness of this risk is growing, and more organizations are directing efforts toward cyber-risk management. However, as the WEF highlights, cybersecurity is still under-resourced when measured against the sheer scale of the threat.

Cybercriminals are now estimated to pocket $1.5 trillion annually — a staggering amount equal to Russia's gross domestic product, and five times the cost of approximately $300 billion resulting from natural disasters in 2017. Some studies predict that the takedown of a single cloud provider could result in $50 billion to $120 billion in economic damage — similar to the financial carnage stemming from Hurricane Sandy and Hurricane Katrina. 

Cyber Issues Reduce Value
Cyberattacks can wreak havoc on a company, and severe financial and legal blowback are only the start. Equifax's stock dropped more than 31% after the firm revealed that it had been the victim of a breach. The disclosure erased $5 billion in market value, as reported by MarketWatch. After Yahoo disclosed two large-scale breaches, Verizon cut its buy offer by $350 million, or about 7% of the original price. The breach almost scuttled the deal. Yahoo had to pay a $35 million penalty to settle securities fraud charges levied by the US Securities and Exchange Commission (SEC), and another $80 million to settle lawsuits launched by irate shareholders.

When the Marriott breach hit the news, Sen. Charles E. Schumer (D-NY) called on the hotel chain to foot the bill and replace the passports for as many as 327 million people whose passport numbers might have been exposed in the attack. Marriott pledged to cover the cost, but at $110 per passport — the standard fee — it would have had to fork out an incredible $36 billion, an amount equivalent to the firm's entire market capitalization.

New Risk Imperatives
Other factors influence the consequences of cybercrime. For instance, firms are more heavily leveraged than they were a few years ago. Since 2010, the debt-to-equity ratio for the median S&P 1500 company has nearly doubled. Consequently, according to the WEF, their stability is even more threatened by cybercrime skullduggery.

In response, regulatory frameworks are being tightening up around the globe — witness the General Data Protection Regulation in Europe and the new SEC directives in the US. The authorities want to see better preparation that will mitigate risk, and more transparency after cyberattacks. In a press release, SEC Chairman Jay Clayton urged public companies to "examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives."

Businesses need to focus on their resilience to cyber events and generally need to put emphasis on prevention and response. Research suggests that only about half (52%) of organizations have a CISO on their payroll, and only 44% say their corporate boards actively participate in their companies' overall security strategy. In the digital age, this is no longer good enough and needs rethinking.

Because virtually every business is going digital in one way or another, it's naive to think that today's cyberattacks primarily affect technology companies. In fact, cybercrime is setting its sights on industries across the board, many of which were left alone in the pre-digital era. Hotels, airlines, and banks, for example, are now squarely in the cybercriminals' crosshairs.

The upshot is that modern corporate innovation and growth must be balanced against cyber-risk and IT stability. More than ever, business leaders must create strategic plans that pave the road to emerging opportunities but also outline how their companies will ensure business continuity and deal with the complex set of cyber threats blighting the global digital landscape.

Related Content:

 

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
michaelmaloney
50%
50%
michaelmaloney,
User Rank: Apprentice
1/25/2019 | 3:39:06 AM
What's the world coming to
All of this really sounds like a plot for the next thriller movie. I mean, it's not hard to imagine that a kid would be able to do all of that if he wanted to, but the problem here is are we really bringing up kids to be like that in this day and age? Businesses should be very, very afraid...
CameronRobertson
50%
50%
CameronRobertson,
User Rank: Moderator
1/22/2019 | 3:33:55 AM
Use less, worry less
It should be anticipated that we make ourselves become vulnerable to online attacks when we expose ourselves online around the clock. We need to rethink how we manage our operations and come up with an alternative solution that perhaps involve a little less digital involvement. The less time we spend online, the smaller the window for potential attacks.
sophiared
50%
50%
sophiared,
User Rank: Apprentice
1/17/2019 | 3:00:35 AM
Concern for Cyber security
It is undoubtedly a valid concern regarding such Cybersecurity as there are many unauthorized persons are moving around to steal the users' sensitive information. They can get other fruitful suggestions instructed by error code 0x80070057 that will guide them in a proper manner.
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6485
PUBLISHED: 2019-02-22
Citrix NetScaler Gateway 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5 before build 69.5 and Application Delivery Controller (ADC) 12.1 before build 50.31, 12.0 before build 60.9, 11.1 before build 60.14, 11.0 before build 72.17, and 10.5...
CVE-2019-9020
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read or read after free). This is related to xml_elem_parse_buf in ext/xmlrpc/libxmlrpc...
CVE-2019-9021
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A heap-based buffer over-read in PHAR reading functions in the PHAR extension may allow an attacker to read allocated or unallocated memory past the actual data when trying to parse the file...
CVE-2019-9022
PUBLISHED: 2019-02-22
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parser...
CVE-2019-9023
PUBLISHED: 2019-02-22
An issue was discovered in PHP before 5.6.40, 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.1. A number of heap-based buffer over-read instances are present in mbstring regular expression functions when supplied with invalid multibyte data. These occur in ext/mbstring/oniguruma/regcom...