THE VERISK RISK REPORT

The Darkening Cloud of Digital Vulnerability

Each year, we grow more and more comfortable living our lives online: From banking, to medical care, to buying diapers, people around the globe have migrated vital activities, both large and small, online and into the cloud. The same is true of businesses and governments, which increasingly rely on the economical costs and unprecedented connective powers of operating online.

But along with clear advantages, these new digital opportunities introduce new weaknesses. Cyberattacks on businesses have nearly doubled each year since 2014; and according to international investment giant UBS, the number of cybersecurity events increases 20 to 30 percent annually.[1] In the same way that both criminal and national actors vie for control of violence in a society, cybercriminals and modern governments vie for an edge in manipulating online activities to their benefit, often with calamitous results.

Meanwhile, businesses and governments alike lag woefully behind in the security required to combat these threats, leading to a huge risk of digital vulnerability. This two-fold problem—cybercrime and state-led cyber interference—is escalating at an alarming rate, threatening international business, domestic government independence, and countless organizations and individuals.

infographics-Photo-vulnerability.jpg

Cybercrime

There were 945 data breaches in the first six months of 2018, with 4.5 billion records compromised. The number of records affected by breaches increased by 133 percent from 2017, while the number of breaches remained relatively stable as the severity of attacks and the sophistication of criminals continues to grow.[2]

Banks are a clear target: Capital One Financial Corporation was attacked by cybercriminals this year, compromising 100 million customer accounts.[3] The bank expects costs related to the hack could reach $150 million this year alone, and experts believe the company could face up to $500 million in fines.[4] But any major corporation could be a gold mine for industrious criminals: Aluminum producer Norsk Hydro is facing costs of up to $75 million after a cyberattack in early 2019.

The average total cost for each lost or stolen record was estimated at $148 in 2018,[5] an especially frightening figure for smaller businesses. And if current trends are any indication, this number will continue to soar. In addition to the risks such breaches pose to individuals—who suddenly find their identity compromised and their assets potentially at risk—these crimes are a huge risk for financial institutions and other businesses that face penalties, remediation costs, public anger, and diminished brand trust after an attack.

Cyber interference

While cybercriminals pose an intensifying threat, state actors have also entered the fray. Herein lies the difference between crime and warfare, between the shadowy effectiveness of an underground organization and the full might of a modern nation.

In 2007, a Russian government attack on Estonia created a blueprint for future campaigns combining cyberattacks and misinformation.[6] The Bronze Soldier attack, named because the event was sparked by a decision to move a politically charged statue, was the beginning of an increasingly common pattern of disrupting society for military gain. Since then, government actors have continued to refine military-inspired attacks. In 2009, the Stuxnet attack on Iran grabbed headlines after it destroyed uranium-enriching centrifuges. In the disinformation realm, revelations about Russian government interference in the 2016 U.S. presidential election are still coming to light; a Facebook executive told Congress in 2017 that roughly 126 million users saw “news” that was in fact Russian propaganda.[7]  

And new threats continue to appear. In spring 2019, the United States faced its first recorded power grid “cyber event” when the national system was targeted by a cyberattack. “Have as few internet facing devices as possible,” the North American Electric Reliability Corporation urged power utilities in a report issued after the attack (which did not cause outages but was considered significant).

While some of these attacks focus on physical targets and others spread confusion, both types seek to undermine state stability. Much as a government would employ a multiprong military approach in traditional warfare—drawing on a host of tools, people, and strategies—cyber interference today takes many forms. Soon, the line between traditional and cyber warfare may blur even more. Although there has not been a state-led cyberattack believed to have caused the death of a citizen of another country, the risk seems inevitable. In August 2017, a cyberattack intended to cause an explosion at a petrochemical plant in Saudi Arabia was avoided due to a mistake in the attackers’ computer code. If appropriate measures are not taken now, we could find our world drawn into a cataclysmic physical war triggered by online attacks.

New targets with new concerns

Bank accounts are an obvious target for cybercriminals, just as banks are targets for typical thefts. However, new means of attack open up new targets for exploitation. Increasingly, personal medical records are a valuable and vulnerable data pool hosted online. Breaches of this data are particularly attractive to criminals because they often connect sensitive data with financial records. As of 2018, healthcare was the industry most targeted by ransomware; and after a brief decline, this type of attack—in which records and other sensitive digital data are made inaccessible until a fee is paid—is once again on the rise. This summer, Grays Harbor Community Hospital in Washington State was attacked by hackers demanding $1 million, and Park DuValle Community Health Center in Louisville, Kentucky, paid a $70,000 ransom.


“There were 945 data breaches in the first six months of 2018, with 4.5 billion records compromised.”


Among many organizations that may not see themselves as natural targets of cybercrime, cybersecurity remains lax. Mandates for smart cyber activity must be evenly distributed across all sectors to guard against attackers always on the lookout for the weakest link. And it’s worth noting that refusing to pay a ransom is no guarantee of financial protection: When the city of Atlanta was attacked in 2018, it refused to pay the roughly $50,000 requested ransom; but that could end up costing taxpayers $17 million in upgrades and costs associated with the attack.  

Can we protect ourselves in a cyber-focused future?

All human endeavors include some risk, but our online future would be much more secure if we took its vulnerability seriously. Today, personal data is often as valuable as a physical possession, but most people don’t protect it as they would a car or a diamond ring. According to a Pew survey released in 2017, a majority of Internet users couldn’t correctly answer basic questions about cybersecurity and potential cyber threats. On an organizational level, the situation is not much better. As of July 2019, 79 percent of organizations still have at least one Windows 7 system on their networks, and 32 percent still have at least one Windows XP device connected to their network.[8] That may sound like a trivial detail, but it can act like a ground-floor window left open in a home while the family is out of town. Extended support for the XP program ended in 2014, meaning security features are out of date and provide a tempting point of entry for unlawful actors.

This scenario is fixable, but it represents a larger problem. In general, our patch cadence—the speed at which vulnerabilities are addressed—lags behind the pace at which malicious actors are identifying weaknesses. We should treat cyberattacks as we would a foreseeable, trackable hurricane in the Caribbean during storm season, when too often we view them as an earthquake in New York City: unpredictable, devastating, and unlikely to reoccur.

As we live more and more of our lives online, the risks we encounter there will continue to grow in frequency and severity. These attacks no longer require physical infiltration or the participation of willing employees or spies—the greatest threat is the unwitting accomplice and the unprotected online door. Especially as we begin deploying 5G technology and its underlying infrastructure, we must take digital vulnerability seriously and rethink the way we protect ourselves, our businesses, and our nations.


[1]. https://www.usatoday.com/story/tech/2019/07/30/capital-one-data-breach-2019-what-cost-you/1869724001/

[2]. https://www.itweb.co.za/content/G98YdqLxZZNqX2PD

[3]. https://www.cnn.com/2019/07/29/business/capital-one-data-breach/index.html

[4]. https://fortune.com/2019/07/31/capital-one-data-breach-2019-paige-thompson-settlement/

[5]. https://www.ibm.com/downloads/cas/861MNWN2

[6]. https://www.bbc.com/news/39655415

[7]. https://time.com/5573537/mueller-report-russia-election-interference/

[8]. https://www.techrepublic.com/article/its-2019-and-one-third-of-businesses-still-have-active-windows-xp-deployments/