A devastating cyber-attack paralyses the main infrastructure of the United States, throwing the entire country into terror and chaos. An image for now still confined to cinematic fiction, but which could take over in the near future. In times like these, of high geopolitical tensions, cyber-attacks are increasingly frequent and violent, especially on critical infrastructures, where the consequences can be truly devastating. It is therefore imperative to invest in cybersecurity to protect a sustainable future.
Attacks on critical infrastructure
It was only recently that news broke of a double hacker attack - probably Russian - on the computer systems of Italy's Gestore dei Servizi Energetici (GSE SpA) and ENI within a week. Not to mention the cyber-crimes perpetrated in recent months on major oil refineries in Amsterdam, Rotterdam and Antwerp, as well as on the likes of telephone giant Vodafone in Portugal. In the East, the computer confusion hit the Belarusian railway network, right in the middle of a military exercise with Russia. And Ukrainian financial institutions and government sites could hardly escape unscathed. The list is long and only includes actions committed in Europe. The United States seems less vulnerable, as it has invested large sums in cybersecurity, especially in the financial sector.
According to IBM's annual report (Cost of Data Breach Report 2022)[i], weekly cyber-attacks on companies increased by 50 per cent from 2020 to 2021. According to Check Point's statistics[ii], globally in 2021 there were "more than 900 cyber-attacks per week per organization." So far, 83 per cent of companies have already suffered at least one breach. What is more, the attacks are increasingly devastating, capable of bypassing even the most powerful security systems, and the malware is increasingly diverse: from December 2021 to June 2022, it doubled to over 10,000 variants.
All the costs of cyber attacks
A cyber-attack on a strategic infrastructure (transport, health, communications, energy, industry, education, public sector and financial and technology services) costs on average USD 4.82 million. For other sectors, the average cost rose from $3.8 million in 2020 to $4.35 million in 2022 (+12,7%).[iii]
To this must be added the response time: according to the World Economic Forum's (WEF) Global Cybersecurity Outlook 2022[iv], it takes an average of 280 days to identify and respond to a cyber-attack, and the time is longer for companies with staff working remotely (316 days). Reputational and social damages must be added to the economic damage, as they affect every aspect of daily life.
One-fifth of the breaches affect supply chains (hacked corporate partners), compromising supply chains, with recovery operations taking almost a month longer than isolated threats and a consequent increase in costs to contain the damage. One example is the attack in 2021 by the ransomware group REvil (Russian-linked hackers), which affected 1’500 companies worldwide, including a Swedish supermarket chain, which was forced to temporarily close more than 800 shops.
From biological to computer viruses
As a matter of fact, Covid-19 has significantly accelerated the race towards digitisation, significantly expanding its use. According to World Bank estimates, total annual internet traffic in 2022 is set to increase by 50 per cent over 2020 levels, reaching 4.8 zettabytes: in a minute197.6 million e-mails and 69 million WhatsApp messages are sent, 695,000 stories are shared on Instagram, 9’132 connections are made on Linkedln, 1.6 million dollars are spent on E-commerce, while video conferencing has increased tenfold.[v]
This up-to-date overview of reality, where everything is networked and interconnected, produces a huge amount of data and exposes the entire population to a new dimension of digital attacks and threats: digital viruses spread ten times more and faster than biological viruses. And the impacts of next-generation technologies, such as artificial intelligence, quantum computers, ubiquitous connectivity and future approaches to identity and access management, on which the world relies to achieve prosperity in every area of our lives, are not yet known, but could overwhelm the defences of the global security community.
Here then, it becomes not only urgent, but also necessary to invest in cybersecurity to ensure a sustainable future. The urgency has certainly been grasped by the World Economic Forum, which ranks cyber-attacks among the top 10 threats to be addressed in the next decade. To this burning issue, the group founded by Klaus Schwab is devoting ample space through initiatives, research, studies and platforms, stimulating dialogue and collaboration between cybersecurity experts and leaders from both the private and public sectors, in order to buffer the negative economic and reputational effects.
Seventeen UN goals at cyber-risk
Goal 9 of the UN Agenda 2030 calls for “building resilient infrastructure, fostering innovation and promoting inclusive and sustainable industrialisation”: resilience is achieved through the modernisation of infrastructure with efficient and cross-cutting use of technology by companies, to avoid waste, and through the adoption of cybersecurity practices, without which the 17 Sustainable Development Goals would be compromised.
In its Cybersecurity Outlook 2022, the WEF focuses on building cyber-resilient ecosystems. The aim is to provide "a detailed analysis of the challenges facing security experts, the approaches to be taken to keep up with new attacks and the measures to be implemented to improve cyber resilience (the ability to anticipate, resist, recover and adapt to dangers and threats), not only within individual organisations, but across the entire ecosystem". It is therefore necessary to consider “how cyber security should not be thought of as a separate technology, but rather as a set of core systems spanning technology, people and processes within the Fourth Industrial Revolution”.
What behaviour and strategies to adopt?
Short of disconnecting everyone from the internet (a day off the net costs the global economy $50 billion[vi]) it is necessary to tackle the problem on several fronts.
At the strategic level, the WEF has developed a set of principles for boards of directors to have a stronger basis for managing their companies' cyber risks. Cybersecurity should be an integral part of risk management policies and the pursuit of corporate objectives. In this regard, it is advisable to incorporate those responsible for cyber security into the board of directors or, at the very least, schedule regular briefings with them. Another key point to improve the cyber resilience of industries and other sectors is to foster partnerships and collective action by all actors, both public and private, of the entire digital ecosystem, which is inescapably interconnected.
Of course, in order to be more proactive in countering future cyber-attacks, it is necessary to invest more significantly in cybersecurity: according to the WEF, investments need to be “adequate to support (training, guidance and research) and incentivise (workforce, regulation) the development of emerging security technologies”.
"Best Practice'’ against cybercrime in companies
According to the Cybersecurity Framework (CSF) of the National Institute of Standards and Technology (NIST), the reference body par excellence in this field, a comprehensive corporate cybersecurity programme (protecting infrastructure, systems, networks and information) must be based on five operational functions: 1) identifying cyber risks and the vulnerability of corporate assets, 2) protecting critical infrastructure, controlling access and safeguarding sensitive data, 3) detecting and anticipating threats, 4) responding if a breach is detected, and 5) recovering and restoring compromised data.
One cybersecurity model that has proven to be particularly effective, especially with regard to access control, is the so-called “zero trust strategy”, based on the belief that nothing (users, devices and connections), whether internal or external to a company's network perimeter, should be automatically trusted: it encompasses public and private clouds, SaaS applications, DevOps and robotised process automation.
According to IBM's annual Cost of Data Breach Report 2022, more than USD 1 million in costs are saved by companies in the event of an attack using the zero-trust model. The percentage of companies using it has grown from 35% in 2021 to 41% in 2022.
Artificial intelligence and automation
Artificial intelligence (AI) and automation have emerged as the true protagonists of cybersecurity, as they are able to change its very physiognomy. They are able to analyse huge amounts of data on risks, speeding up response times and security operations and, in fact, making companies safer and more environmentally friendly.
Companies with security models based on these two new technological approaches save more than $3 million in the event of cyber-attacks ($3.15 million in costs instead of $6.2 million). IBM's 2022 annual report also highlights the time savings: the life cycle of an attack is reduced by an average of 74 days.
Many have adopted this structured modus operandi in recent years: the percentage of organisations with AI and automation security programmes has increased from 59 per cent in 2020 to 70 per cent in 2022, a growth rate of 18.6 per cent.
Investing in cybersecurity
Juniper Research, a leading digital and technology analyst firm, predicts that investments in cybersecurity will grow by a third just in 2022; the increase will be $134 billion per year. The cybersecurity sector is divided into three areas: hardware, software and services. It is mainly the software market that will benefit from the large inflow of capital, as it enjoys higher growth prospects, stronger margins and stable revenues.[vii]
There are several instruments on the market in which to invest to address this important issue. It is inadvisable to venture into buying a single security, even if it is considered particularly significant for the dynamics of the sector. It is better to rely on ETFs, which allow you to diversify your risk across multiple players, thus involving the broad spectrum of the complex cybersecurity scaffolding. These include the First Trust Nasdaq Cybersecurity (CIBR US), which replicates the Nasdaq CTA Cybersecurity Index, or the L&G Cybersecurity UCIT ETF (USPY LN).
[i] Cost of a data breach 2022, www.ibm.com/reports/data-breach.
[ii] Check Point Research: Cyber Attacks Increased 50% Year over Year, blog.checkpoint.com/2022/01/10/check-point-research-cyber-attacks-increased-50-year-over-year.
[iii] Cost of a data breach 2022, IBM.
[iv] Global Cybersecurity Outlook 2022, World Economic Forum, January 2022.
[v] Ibidem
[vi] Annual Meeting on Cybersecurity, World Economic Forum.
[vii] Cyber Security Benefitting from a dynamic and growing industry, UBS 2020.