Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:30 AM
Marc Wilczek
Marc Wilczek
Connect Directly
E-Mail vvv

Why Cyberattacks Are the No. 1 Risk

The paradigm shift toward always-on IT requires business leaders to rethink their defense strategy.

With the world going digital, the dependence on the availability of IT infrastructure keeps exponentially growing, and many people don't comprehend the true scope of the implications. The recent cyberattack on the Los Angeles Times is a prominent example, disrupting the delivery of the Los Angeles Times and Tribune newspapers across the entire US. And in May 2018, a number of distributed-denial-of-service (DDoS) attacks were launched targeting the Netherlands, affecting and temporarily shutting down the online banking of three of the country's largest financial institutions.

Thanks to the emergence of the darknet, cybercrime has become widely accessible and procurable, blurring the lines between legitimate e-commerce and illicit trade. In the Netherlands, an 18-year-old man was arrested in connection with the DDoS attacks who apparently hired a cybercriminal through one of the various marketplaces in the darknet and who "wanted to show that a teenager can simply crash all banks" with a few clicks — unfortunately, he was right.

Society Is More Vulnerable to Cyberthreats
Indeed, society has become much more vulnerable to such attacks. The World Economic Forum (WEF) says business leaders in advanced economies see cyberattacks as their single biggest threat, even more so than terrorist attacks (No. 2), an asset bubble (No. 3), a new financial crisis (No. 4), or failure to adapt to climate change (No. 5).

This is no surprise because the business risks associated with cybercrime are growing along with companies' ever-increasing dependence on technology. Moreover, the massive growth in the use of smart devices has opened up a universe of new ways for cybercriminals to launch attacks through large-scale botnets. By 2025, the number of smart devices in the world is projected to exceed 75 billion, outnumbering the global population by a factor of 10. Meanwhile, geopolitical rivalries are engendering larger and more sophisticated cyberattacks by smart, well-resourced IT teams with generous state backing. Particularly, large organizations need to take into account a whole range of cyber threats — including business interruption, theft, and extortion — reputational damage, economic espionage, and the infiltration of critical infrastructure and services. The evolving threat landscape combined with a mixture of highly sophisticated adversaries makes cyber-risk very challenging to manage.

An Under-Resourced Risk
Awareness of this risk is growing, and more organizations are directing efforts toward cyber-risk management. However, as the WEF highlights, cybersecurity is still under-resourced when measured against the sheer scale of the threat.

Cybercriminals are now estimated to pocket $1.5 trillion annually — a staggering amount equal to Russia's gross domestic product, and five times the cost of approximately $300 billion resulting from natural disasters in 2017. Some studies predict that the takedown of a single cloud provider could result in $50 billion to $120 billion in economic damage — similar to the financial carnage stemming from Hurricane Sandy and Hurricane Katrina. 

Cyber Issues Reduce Value
Cyberattacks can wreak havoc on a company, and severe financial and legal blowback are only the start. Equifax's stock dropped more than 31% after the firm revealed that it had been the victim of a breach. The disclosure erased $5 billion in market value, as reported by MarketWatch. After Yahoo disclosed two large-scale breaches, Verizon cut its buy offer by $350 million, or about 7% of the original price. The breach almost scuttled the deal. Yahoo had to pay a $35 million penalty to settle securities fraud charges levied by the US Securities and Exchange Commission (SEC), and another $80 million to settle lawsuits launched by irate shareholders.

When the Marriott breach hit the news, Sen. Charles E. Schumer (D-NY) called on the hotel chain to foot the bill and replace the passports for as many as 327 million people whose passport numbers might have been exposed in the attack. Marriott pledged to cover the cost, but at $110 per passport — the standard fee — it would have had to fork out an incredible $36 billion, an amount equivalent to the firm's entire market capitalization.

New Risk Imperatives
Other factors influence the consequences of cybercrime. For instance, firms are more heavily leveraged than they were a few years ago. Since 2010, the debt-to-equity ratio for the median S&P 1500 company has nearly doubled. Consequently, according to the WEF, their stability is even more threatened by cybercrime skullduggery.

In response, regulatory frameworks are being tightening up around the globe — witness the General Data Protection Regulation in Europe and the new SEC directives in the US. The authorities want to see better preparation that will mitigate risk, and more transparency after cyberattacks. In a press release, SEC Chairman Jay Clayton urged public companies to "examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives."

Businesses need to focus on their resilience to cyber events and generally need to put emphasis on prevention and response. Research suggests that only about half (52%) of organizations have a CISO on their payroll, and only 44% say their corporate boards actively participate in their companies' overall security strategy. In the digital age, this is no longer good enough and needs rethinking.

Because virtually every business is going digital in one way or another, it's naive to think that today's cyberattacks primarily affect technology companies. In fact, cybercrime is setting its sights on industries across the board, many of which were left alone in the pre-digital era. Hotels, airlines, and banks, for example, are now squarely in the cybercriminals' crosshairs.

The upshot is that modern corporate innovation and growth must be balanced against cyber-risk and IT stability. More than ever, business leaders must create strategic plans that pave the road to emerging opportunities but also outline how their companies will ensure business continuity and deal with the complex set of cyber threats blighting the global digital landscape.

Related Content:


Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
1/17/2019 | 3:00:35 AM
Concern for Cyber security
It is undoubtedly a valid concern regarding such Cybersecurity as there are many unauthorized persons are moving around to steal the users' sensitive information. They can get other fruitful suggestions instructed by error code 0x80070057 that will guide them in a proper manner.
User Rank: Moderator
1/22/2019 | 3:33:55 AM
Use less, worry less
It should be anticipated that we make ourselves become vulnerable to online attacks when we expose ourselves online around the clock. We need to rethink how we manage our operations and come up with an alternative solution that perhaps involve a little less digital involvement. The less time we spend online, the smaller the window for potential attacks.
User Rank: Apprentice
1/25/2019 | 3:39:06 AM
What's the world coming to
All of this really sounds like a plot for the next thriller movie. I mean, it's not hard to imagine that a kid would be able to do all of that if he wanted to, but the problem here is are we really bringing up kids to be like that in this day and age? Businesses should be very, very afraid...
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-14
On Signify Philips Taolight Smart Wi-Fi Wiz Connected LED Bulb 9290022656 devices, an unprotected API lets remote users control the bulb's operation. Anyone can turn the bulb on or off, or change its color or brightness remotely. There is no authentication or encryption to use the control API. The o...
PUBLISHED: 2019-11-14
An issue was discovered in the Espressif ESP32 mask ROM code 2016-06-08 0 through 2. Lack of anti-glitch mitigations in the first stage bootloader of the ESP32 chip allows an attacker (with physical access to the device) to read the contents of read-protected eFuses, such as flash encryption and sec...
PUBLISHED: 2019-11-14
A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document to a user that the website trusts. The user needs to have ...
PUBLISHED: 2019-11-14
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
PUBLISHED: 2019-11-14
SAS XML Mapper 9.45 has an XML External Entity (XXE) vulnerability that can be leveraged by malicious attackers in multiple ways. Examples are Local File Reading, Out Of Band File Exfiltration, Server Side Request Forgery, and/or Potential Denial of Service attacks. This vulnerability also affects t...