David Burrows reports on the rising tide of cybercrime, and explains why an increased focus on business’s social role could help solve the problem
Start looking at the statistics around cybersecurity and it’s hard not to be anxious the next time you switch on your laptop. Four in 10 businesses (39%) and a quarter of charities (26%) have reported breaches or attacks during the past 12 months, according to the UK government’s 2021 survey on the topic. Of those, one in five lost money, data or other assets.
The attacks are not just consistently high – they are also constant: 49% of businesses are attacked once a month or more, while for 27% it’s once a week. And the pandemic has only made things worse: COVID-19 has sparked a “massive drive” in attacks, according to Lynsay Shepherd from Abertay University in Dundee.
A paper co-authored by Shepherd and published in March edition of the journal Computers and Society showed how cybercriminals very quickly used the pandemic to their advantage. They seized on government announcements to “carefully craft and execute cyber-crime campaigns”, the experts wrote. With people communicating online more than ever – not to mention being forced to work from dining tables, rather than their office desks – the increasing threat surprised few of those involved in cybersecurity.
Indeed, PwC has started referring to a ‘cyber pandemic’. Its 2021 global CEO survey placed cyberthreats second on the list of threats that leaders are most worried about (with pandemics and health crises coming out on top). Some 47% said they were ‘extremely concerned’, compared to 33% in the 2020 survey. Hardly a week goes by without another headline attack.
“At home, traditional security signals such as entry passes and formal work settings disappear”
A hideous crime
Terry A’Hearn is one of those to have found themselves at the centre of this storm. On Christmas Eve 2020, just as he was “winding down”, the chief executive of the Scottish Environment Protection Agency (SEPA) received an unwelcome gift –a call to say that there had been an attack. At the time, he admitted he didn’t really know what this meant. Around 4,000 files were stolen and access to almost all SEPA’s data and systems was lost – including everything from flood alerts to emails. A ransom demand was, however, rebuffed. “If we had paid, then we would have increased the risk for everyone else,” A’Hearn told the BBC in June.
The data and systems are still there, reportedly, but how much was backed up isn’t yet clear. A’Hearn told me earlier this year that experts were trying to retrieve as much as possible, but at that stage he couldn’t say whether they would restore some, most or all of it. An update is due any time now. SEPA has, to its credit, been as transparent as possible (a live criminal investigation is ongoing at the time of writing), with A’Hearn eager for others to learn from the agency’s experience. “Unfortunately, it’s a hideous crime that is becoming more and more common,” he says.
Are businesses prepared for the onslaught from increasingly sophisticated attackers? Not nearly enough, according to cybersecurity experts. “Unless the roof is burning, they never do much,” says Hani Banayoti, founding director of CyberSolace, which provides cybersecurity advisory services. The approach is generally “very reactive”, he says. Writing for Reuters last year, he explained that remote working had exposed a “softer underbelly” in security defences.
Indeed, the comfortable and familiar environment of the home office may lead to complacency. Mark Brown is founder of Psybersafe, which uses psychology and behaviour science to train people in cybersecurity. “At home, traditional security signals such as entry passes and formal work settings disappear,” he explains. “Behaviour is less monitored, and we miss the social norm signals we get in the office, like shredding paper or locking a laptop when you walk away.”
It only takes one wrong click for malware or ransomware to get onto a device or into a network. You can picture the scene: a parent who is working from home, juggling deadlines with their children’s teatime, receives an email that appears to be from the managing director – but is, in fact, from a hacker. And these days it’s harder than ever to separate the bogus from the bona fide.
These are not the emails of 10 or 15 years ago – the ones from Nigeria telling you that you’ve received a windfall from a relative you’ve never heard of. Consider this one received by a British art collector, detailed in the Financial Times: “Simon! I’m so thrilled we’ve agreed a deal for such an iconic work of art. New banks details attached, just to be on the safe side. My regards to Amanda – and hope the kids’ colds clear up!”
One of the consistent lessons across the government’s series of cybersecurity surveys has been the importance of staff vigilance: most breaches and attacks identified come via staff members’ user accounts. Some 83% of attacks on businesses were phishing attacks, for example. However, it’s often only those who are caught out who learn their lesson, according to Banayoti. “And even for those, the memory can fade very quickly,” he adds.
“Until accountability is pushed up the chain, we won’t see much change”
Regulation and trust
There is hope. Interest in businesses’ role in society has swelled on the back of the pandemic, and according to RBC Global Asset Management’s 2020 Responsible Investment Survey, 25% of institutional investors in Europe see cybersecurity, which falls under the ‘S’ of environmental, social and governance (ESG), as a “make or break” investment decision. This is higher than anywhere else in the world. “Ultimately, companies are social actors,” says Brown at Psybersafe. “They play an important role in society, and society is increasingly pushing them to focus on ESG and corporate social responsibility.”
Trust in companies’ ability to protect data and combat attacks is not high, though. Some 28% of the 5,000 consumers quizzed in a global survey by PwC last year said their trust in the technology used by companies has been falling, and 60% expect them to suffer a data breach. That’s likely because 34% say that one or more companies holding their data have already suffered a breach.
Regulation, including GDPR, is offering better protection, but experts suggest there is some way to go – and all the while, hackers advance. Renewable energy providers are currently seen as a juicy target. Italy’s biggest wind operator, ERG, suffered “minor disruption” following a ransomware attack in August, according to reports. Technology has a role to play in energy efficiency, through connected devices and the Internet of Things, but this could bring more threats.
“Everyone is relying on online for everything and that’s what has heightened the attention on this,” says Ann LaFrance, senior partner at law firm Squire Patton Boggs. “Increased reliance on the internet, for everything from commerce to healthcare to systems operation, is likely to require an effective regulatory approach that incentivises corporate boards and senior management to invest in both technical and organisational measures, in order to avoid or mitigate the impact of cyberattacks,” she adds.
Regardless of regulation, it is expected that companies will increasingly disclose their cybersecurity risks and preparedness as investors apply pressure. Half of investors in the RBC survey said the COVID-19 pandemic should see companies disclose more details about ‘social’ factors.
The spotlight isn’t just on the ‘S’, either. Gartner, the global advisory firm, predicts that 75% of CEOs will be personally liable for cyber-physical security incidents by 2024. Corporates will also fear litigation more than regulatory fines. British Airways recently settled a legal claim from some of the 420,000 people affected by a significant data breach in 2018; the settlement is likely to be “five or six times” the (much-reduced) £20m fine handed out by the Information Commissioner’s Office, according to Banayoti at CyberSolace.
Additionally, companies that experience a severe cyber breach see their share value permanently fall by an average of 1.8%, according to a CGI-Oxford Economics study in 2017. What’s worse, the negative impact on share value is getting more severe every year
Banayoti is among a small, but growing, number of experts who sense that the focus on ESG, as well as related financial and reputational risks, could see cybersecurity led by businesses as a whole, rather than just IT departments. “Until the level of accountability is pushed up the chain and visible, we won’t see much change,” he explains. He is hopeful of “more ownership”.
There is much to do. A 2017 review in Harvard Business Review said that “most board members have expertise in other forms of risk, and not in how to protect corporate assets from nation-state attackers and highly organised cyber adversaries”. SEPA’s A’Hearn says he certainly knows more about the issues than he did on 24 December. The agency is unlikely to be fully operational again until 2023, with its IT systems being rebuilt in a way that “protects ourselves and the people who work with us”.
The businesses regulated by SEPA have, by and large, been patient, but the time will come for a deeper assessment of its preparedness – and any consequences the breach has had on the environment. Consumer-facing and publicly listed companies will be offered less leeway.
David Burrows is a freelance writer and researcher.