Combatting Cybersecurity Risks

Introduction

The risk of cybercrime is on a steep upward trajectory. In North America it has risen by 61%, in Europe, the Middle East and Africa by 66%, in Latin America by 58%, and in Asia-Pacific by 74% [1]. According to the U.S. Cybersecurity and Infrastructure Security Defense Agency, 47% of American adults have had their information exposed online from cyber criminals [2]. Meanwhile, in Ireland, cybercrime is the number one threat when it comes to financial crime, with fraud and tax evasion taking joint second place [3].

A recent investigation by Mandiant revealed that governments, businesses and financial institutions are the three primary targets of cyber threats [4]. Meanwhile the firm Cybersecurity Ventures unveiled that global cybercrime financial damage will reach $10.5 trillion by 2025 [5]. That figure would make it the world’s third largest economy behind only the U.S. and China.

It’s vital that businesses start putting cybercrime front of mind. This article will dig into the reasons for cybercrime’s increased prevalence, the core steps businesses need to take to protect themselves, the role of AI, and the impact on small businesses.

Why is cybercrime on the rise?

As well as the obvious reasoning of technological advancement, cybercrime is rising for three reasons. First, the pandemic. In the US, nearly 470,000 phishing attacks were launched by hackers in the first three weeks of March 2020. About 9,000 of those were related to COVID-19 –– a 667% increase from February [6].

The pandemic forced remote working on a number of businesses. All of a sudden staff were working from home, potentially with less secure connections. Equally, staff were more likely to fall for a fake email from their boss or IT department when at home than they would be if they were in an office together. As we will address later, innocent internal errors are a key cause of cybercrime. The home/hybrid working setup makes such instances more likely.

Second, Russia’s invasion of Ukraine. Targeting of users in NATO countries by Russian hackers increased over 300% in 2022 as compared with 2020 [7].

Third, China. According to US officials, the number of attacks from China has intensified greatly in recent years. “The People’s Republic of China represents the most critical threat [among cyber risks],” General Timothy Haugh, head of US cyber command, said while speaking at a Vanderbilt event earlier this year.[8]

The cost of cybercrime

UnitedHealth, a hugely successful American conglomerate, suffered a ransomware attack in February.The company reportedly paid a $22m ransom to a BlackCat hacker group [9]. But the initial payment is just the start of the cost companies suffer in the wake of such breaches. UnitedHealth reported an $872m first-quarter hit from the attack — and warned that number could potentially reach $1.6bn. That’s not to mention the reputational damage. Customers lose trust. All of a sudden things can tailspin quickly.

Meanwhile, the IMF has warned that “the probability of a firm experiencing an extreme loss of $2.5bn as a result of a cyber incident” had now risen to “about once every 10 years”. [10]

In Ireland, Banking & Payments Federation Ireland (BPFI) stats show fraudsters stole nearly €85 million through frauds and scams in 2022, an increase of 8.8% on the previous year [11]. Meanwhile, the HSE attack of 2021 still lives long in the memory. It is the largest known attack against a health service computer system in history. It also demonstrates that the cost of a future breach may not solely be money, but human lives. Companies can’t afford to take any risks.

Cybercrime considerations

Despite the growing risks from cybercrime, a number of businesses have been slow to act. Brandon Wales, a top official of the U.S. Cybersecurity and Infrastructure Security Agency, has suggested boards up company investment in cyber defences and ensure management are treating hacking threats as a core business risk. [12]

That comes from the top. “This needs to be driven at the board level,” Wales said, speaking at the Wall Street Journal’s CIO Network Summit. “You don’t want to start thinking about cybersecurity after your network has been brought down by a ransomware operator.”

There are two broad approaches to take: Cyber Risk Management and Cyber Resilience. Cyber risk management is the preventative aspect. It’s about monitoring risks and identifying threats before they happen. Cyber resilience is about equipping oneself with the tools to recover quickly in the wake of any cyber incident.

Within those pillars are more specific issues to address. Writing in Forbes, Rob Harrison, SVP of Products & Services at Sophos, breaks down the specific risks companies face into three categories: external risks, internal risks, and cloud risks. [13]

External risks are an attempted breach from an external source. That can be from cybercriminals, hacktivists or nation-state actors. The type of attack can vary from ransomware to distributed denial-of-service attacks.

To combat external risks requires regular monitoring of the threat landscape. Technology changes fast and cybercriminals are innovative. Organisations need to be proactive in ensuring their defences are up to date and that they have the appropriate countermeasures in place.

Internal risks involve someone with system access compromising security. That can come by way of an employee, partner or third-party figure. It can be intentional or entirely accidental. Sometimes someone will be deliberately stealing data –– they could be a victim of extortion or harbour ill-feelings toward the company. Or it could be an entirely innocent mishandling of data with devastating consequences.

To combat internal risks requires having a sturdy and constantly evolving security system in place. But it equally is about building a culture. Training employees on the importance of cybersecurity and how to manage data securely is vital. Writing in Forbes, Justin Slaten, chief information officer at Venbrook Group, LLC, advises not relying on only once-a-year training, arguing multiple sessions are needed. “Training sessions throughout the year will create a well-prepared and vigilant team capable of warding off savvy scammers,” he writes. [14]

Cloud-based services are something the majority of us make use of daily in our personal and professional lives. The cloud is deeply practical, but it almost became a trope for comedy shows to reference the fact that no one really knows how it works. Harbouring all one’s data in this liminal space comes with risk.

To combat cloud-based intrusions, companies should be using encryption, multifactor authentication and regular audits. Not to mention ensuring all data is backed up elsewhere –– you don’t want the data stolen or deleted by a bad faith actor to be the only records you have.

Decisions for businesses

Businesses face some key decisions as to how they’re going to address cybercrime. The first is whether they are going to handle their cybersecurity in-house or rely on a third-party vendor to do it for them. Both options have pros and cons –– one offers trade expertise, the other system control. Third-party cybersecurity firms are likely to offer better know-how as to how to protect your business but the option also introduces third-party risk.

Third-party risk, it should be noted, does not just come from cybersecurity firms you contract but from any third-party technology service your company makes use of. Slaten writes that, “As you embrace third-party technologies in a quest to offer better service, you also open the door to unseen and future threats with new updates and service changes.” [15]

Jason Hart, chief technology officer for EMEA at Rapid7, recommends businesses re-examine the role of the chief information security officer [16]. Often this role is awarded strictly for technological prowess, but as Hart acknowledges, it’s crucial now for them to share the attributes of a COO. They need to be able to think big picture, lead transformational change and spot which aspects of the business are most affected in a breach.

There’s no wrong or right answer when it comes to in-sourcing or out-sourcing. Each company must decide what best works for them.

Human vs AI

Another choice businesses must make is how much to rely on AI in their cyber defence versus relying on human agents.

Harrison writes that, “Driven by the economics of ransomware, organizations will likely face human-driven rather than automated attacks. To defend against human ingenuity, you need human defenders.” [17]

Others suggest AI defences are needed. Sam King, chief executive of the security group Veracode, says: “You can now take a GenAI model and train it to automatically recommend fixes for insecure code, generate training materials for your security teams, and identify mitigation measures in the event of an identified threat, moving beyond just finding vulnerabilities.” [18]

Bartosz Skwarczek, Founder and President of the Supervisory Board of G2A Capital Group, defines AI’s key attributes when it comes to combatting cybercrime in real time as (1) its ability to monitor and analyse behaviour patterns, detecting and acting on anomalies (2) its ability to predict the outcomes of unusual behaviour (3) its ability to implement preventative measures, such as preventing deletions, logging off suspicious users and notifying operators of the suspected malicious activity, and (4) its training and machine learning capabilities –– by training itself to “remember” previous incidents and actions, its ability to identify suspicious activity, predict outcomes and prevent criminal initiatives continuously improves. [19]

Another advantage of AI is that using it for mundane, time-consuming and repetitive tasks frees up the human workforce to think about the big picture. Meanwhile, with more than 3.5 million unfilled positions in the human cybersecurity labour force in 2023, for many, using AI will be a necessity not a choice [20].

AI systems are currently far from perfect. Its advocates expect it to improve drastically in the coming years. Still, some combination of human and AI defence seems the most effective process now and moving forwards.

AI-driven cyber security cannot “fully replace existing traditional methods,” warns Gang Wang, associate professor of computer science at the University of Illinois Grainger College of Engineering [21]. To be successful, he says, “different approaches complement each other to provide a more complete view of cyber threats and offer protections from different perspectives.”

Impact on small businesses

Small businesses are generally speaking less prepared to deal with a potential cyber attack –– they lack the resources to implement a strong defence system or to adequately train their personnel. According to a Grant Thornton International Business Report from 2023, one in three small-to-medium businesses in Ireland fell victim to cybercrime between May 2021 and April 2022 [22]. One in three were also reported to have paid out to cybercriminals, with €22,773 the average payout.

There is talk that the government plans to create a national anti-ransomware organisation and offer cash subsidies to small businesses to help fight cybersecurity threats. Michael Kavanagh, CEO of the Compliance Institute, told The Irish Times that, “The timelines for this are unclear but there’s no doubt that the move would be laudable and welcomed with open arms by many businesses that continue to be plagued by ransomware attacks.” [23]

For the majority of small businesses, such support cannot come soon enough.

Combatting cybersecurity risks

Cybercrime is on the rise. Technological advancements paired with geopolitical instability have contributed to an increasingly fractious security environment. The cost of a cybercrime attack –– financially and reputationally –– can devastate a business. As such, greater precautions need to be taken. Businesses must decide whether they’re going to invest in their in-house cybersecurity unit or offset the duty to a third-party. Equally they must find the balance between human and AI defence measures. Small businesses especially lack the resources to adequately defend themselves and will be reliant on potential government support. But businesses of all sizes should be taking steps to better defend themselves.