Cybercrime: A parallel pandemic

23rd September 2021


Web p22 A Parallel Pandemic CREDIT Getty

Related tags

  • Technology

Author

David Burrows

David Burrows reports on the rising tide of cybercrime, and explains why an increased focus on business’s social role could help solve the problem

Start looking at the statistics around cybersecurity and it’s hard not to be anxious the next time you switch on your laptop. Four in 10 businesses (39%) and a quarter of charities (26%) have reported breaches or attacks during the past 12 months, according to the UK government’s 2021 survey on the topic. Of those, one in five lost money, data or other assets.

The attacks are not just consistently high – they are also constant: 49% of businesses are attacked once a month or more, while for 27% it’s once a week. And the pandemic has only made things worse: COVID-19 has sparked a “massive drive” in attacks, according to Lynsay Shepherd from Abertay University in Dundee.

A paper co-authored by Shepherd and published in March edition of the journal Computers and Society showed how cybercriminals very quickly used the pandemic to their advantage. They seized on government announcements to “carefully craft and execute cyber-crime campaigns”, the experts wrote. With people communicating online more than ever – not to mention being forced to work from dining tables, rather than their office desks – the increasing threat surprised few of those involved in cybersecurity.

Indeed, PwC has started referring to a ‘cyber pandemic’. Its 2021 global CEO survey placed cyberthreats second on the list of threats that leaders are most worried about (with pandemics and health crises coming out on top). Some 47% said they were ‘extremely concerned’, compared to 33% in the 2020 survey. Hardly a week goes by without another headline attack.

“At home, traditional security signals such as entry passes and formal work settings disappear”

A hideous crime

Terry A’Hearn is one of those to have found themselves at the centre of this storm. On Christmas Eve 2020, just as he was “winding down”, the chief executive of the Scottish Environment Protection Agency (SEPA) received an unwelcome gift –a call to say that there had been an attack. At the time, he admitted he didn’t really know what this meant. Around 4,000 files were stolen and access to almost all SEPA’s data and systems was lost – including everything from flood alerts to emails. A ransom demand was, however, rebuffed. “If we had paid, then we would have increased the risk for everyone else,” A’Hearn told the BBC in June.

The data and systems are still there, reportedly, but how much was backed up isn’t yet clear. A’Hearn told me earlier this year that experts were trying to retrieve as much as possible, but at that stage he couldn’t say whether they would restore some, most or all of it. An update is due any time now. SEPA has, to its credit, been as transparent as possible (a live criminal investigation is ongoing at the time of writing), with A’Hearn eager for others to learn from the agency’s experience. “Unfortunately, it’s a hideous crime that is becoming more and more common,” he says.

Stay vigilant

Are businesses prepared for the onslaught from increasingly sophisticated attackers? Not nearly enough, according to cybersecurity experts. “Unless the roof is burning, they never do much,” says Hani Banayoti, founding director of CyberSolace, which provides cybersecurity advisory services. The approach is generally “very reactive”, he says. Writing for Reuters last year, he explained that remote working had exposed a “softer underbelly” in security defences.

Indeed, the comfortable and familiar environment of the home office may lead to complacency. Mark Brown is founder of Psybersafe, which uses psychology and behaviour science to train people in cybersecurity. “At home, traditional security signals such as entry passes and formal work settings disappear,” he explains. “Behaviour is less monitored, and we miss the social norm signals we get in the office, like shredding paper or locking a laptop when you walk away.”

It only takes one wrong click for malware or ransomware to get onto a device or into a network. You can picture the scene: a parent who is working from home, juggling deadlines with their children’s teatime, receives an email that appears to be from the managing director – but is, in fact, from a hacker. And these days it’s harder than ever to separate the bogus from the bona fide.

These are not the emails of 10 or 15 years ago – the ones from Nigeria telling you that you’ve received a windfall from a relative you’ve never heard of. Consider this one received by a British art collector, detailed in the Financial Times: “Simon! I’m so thrilled we’ve agreed a deal for such an iconic work of art. New banks details attached, just to be on the safe side. My regards to Amanda – and hope the kids’ colds clear up!”

One of the consistent lessons across the government’s series of cybersecurity surveys has been the importance of staff vigilance: most breaches and attacks identified come via staff members’ user accounts. Some 83% of attacks on businesses were phishing attacks, for example. However, it’s often only those who are caught out who learn their lesson, according to Banayoti. “And even for those, the memory can fade very quickly,” he adds.

“Until accountability is pushed up the chain, we won’t see much change”

Regulation and trust

There is hope. Interest in businesses’ role in society has swelled on the back of the pandemic, and according to RBC Global Asset Management’s 2020 Responsible Investment Survey, 25% of institutional investors in Europe see cybersecurity, which falls under the ‘S’ of environmental, social and governance (ESG), as a “make or break” investment decision. This is higher than anywhere else in the world. “Ultimately, companies are social actors,” says Brown at Psybersafe. “They play an important role in society, and society is increasingly pushing them to focus on ESG and corporate social responsibility.”

Trust in companies’ ability to protect data and combat attacks is not high, though. Some 28% of the 5,000 consumers quizzed in a global survey by PwC last year said their trust in the technology used by companies has been falling, and 60% expect them to suffer a data breach. That’s likely because 34% say that one or more companies holding their data have already suffered a breach.

Regulation, including GDPR, is offering better protection, but experts suggest there is some way to go – and all the while, hackers advance. Renewable energy providers are currently seen as a juicy target. Italy’s biggest wind operator, ERG, suffered “minor disruption” following a ransomware attack in August, according to reports. Technology has a role to play in energy efficiency, through connected devices and the Internet of Things, but this could bring more threats.

“Everyone is relying on online for everything and that’s what has heightened the attention on this,” says Ann LaFrance, senior partner at law firm Squire Patton Boggs. “Increased reliance on the internet, for everything from commerce to healthcare to systems operation, is likely to require an effective regulatory approach that incentivises corporate boards and senior management to invest in both technical and organisational measures, in order to avoid or mitigate the impact of cyberattacks,” she adds.

Regardless of regulation, it is expected that companies will increasingly disclose their cybersecurity risks and preparedness as investors apply pressure. Half of investors in the RBC survey said the COVID-19 pandemic should see companies disclose more details about ‘social’ factors.

Taking ownership

The spotlight isn’t just on the ‘S’, either. Gartner, the global advisory firm, predicts that 75% of CEOs will be personally liable for cyber-physical security incidents by 2024. Corporates will also fear litigation more than regulatory fines. British Airways recently settled a legal claim from some of the 420,000 people affected by a significant data breach in 2018; the settlement is likely to be “five or six times” the (much-reduced) £20m fine handed out by the Information Commissioner’s Office, according to Banayoti at CyberSolace.

Additionally, companies that experience a severe cyber breach see their share value permanently fall by an average of 1.8%, according to a CGI-Oxford Economics study in 2017. What’s worse, the negative impact on share value is getting more severe every year

Banayoti is among a small, but growing, number of experts who sense that the focus on ESG, as well as related financial and reputational risks, could see cybersecurity led by businesses as a whole, rather than just IT departments. “Until the level of accountability is pushed up the chain and visible, we won’t see much change,” he explains. He is hopeful of “more ownership”.

There is much to do. A 2017 review in Harvard Business Review said that “most board members have expertise in other forms of risk, and not in how to protect corporate assets from nation-state attackers and highly organised cyber adversaries”. SEPA’s A’Hearn says he certainly knows more about the issues than he did on 24 December. The agency is unlikely to be fully operational again until 2023, with its IT systems being rebuilt in a way that “protects ourselves and the people who work with us”.

The businesses regulated by SEPA have, by and large, been patient, but the time will come for a deeper assessment of its preparedness – and any consequences the breach has had on the environment. Consumer-facing and publicly listed companies will be offered less leeway.

David Burrows is a freelance writer and researcher.

Image credit | Getty

Subscribe

Subscribe to IEMA's newsletters to receive timely articles, expert opinions, event announcements, and much more, directly in your inbox.


Transform articles

Companies ‘greenstalling’ due to fear of unfair scrutiny of climate efforts

Large businesses across the world are avoiding climate action due to fear they will be called out for getting their work wrong, according to a new Carbon Trust report.

29th February 2024

Read more

A thought-provoking discussion on how storytelling can change the world took place in Central London last night, alongside an exclusive sneak preview of an upcoming IEMA film series.

29th February 2024

Read more

The UK’s net-zero economy grew 9% last year while delivering higher paid jobs than average and attracting billions of pounds in private investment, analysis by CBI Economics has uncovered.

28th February 2024

Read more

A consortium including IEMA and the Good Homes Alliance have drafted a letter to UK government ministers expressing disappointment with the proposed Future Homes Standard.

26th February 2024

Read more

IEMA and the Institute and Faculty of Actuaries (IFoA) have today published up-to-date guidance to help companies and individuals understand climate-related financial information.

22nd February 2024

Read more

Campaign group Wild Justice has accused the UK government of trying to relax pollution rules for housebuilders “through the backdoor”.

14th February 2024

Read more

Global corporations such as Amazon and Google purchased a record 46 gigawatts (GW) of solar and wind energy last year, according to BloombergNEF (BNEF).

13th February 2024

Read more

Three-quarters of UK adults are concerned about the impact that climate change will have on their bills, according to polling commissioned by Positive Money.

13th February 2024

Read more

Media enquires

Looking for an expert to speak at an event or comment on an item in the news?

Find an expert

IEMA Cookie Notice

Clicking the ‘Accept all’ button means you are accepting analytics and third-party cookies. Our website uses necessary cookies which are required in order to make our website work. In addition to these, we use analytics and third-party cookies to optimise site functionality and give you the best possible experience. To control which cookies are set, click ‘Settings’. To learn more about cookies, how we use them on our website and how to change your cookie settings please view our cookie policy.

Manage cookie settings

Our use of cookies

You can learn more detailed information in our cookie policy.

Some cookies are essential, but non-essential cookies help us to improve the experience on our site by providing insights into how the site is being used. To maintain privacy management, this relies on cookie identifiers. Resetting or deleting your browser cookies will reset these preferences.

Essential cookies

These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website.

Analytics cookies

These cookies allow us to recognise and count the number of visitors to our website and to see how visitors move around our website when they are using it. This helps us to improve the way our website works.

Advertising cookies

These cookies allow us to tailor advertising to you based on your interests. If you do not accept these cookies, you will still see adverts, but these will be more generic.

Save and close