According to KPMG head of cyber Dani Michaux, it is estimated that the global cost of cybercrime has reached US$600 billion annually and this will grow to US$3 trillion in 2021. “That’s the entire GDP of ASEAN,” she notes.
This quite staggering rate of increase points to the scale of the cybersecurity risk facing businesses of all sizes in every sector. “A change of mindset is required,” she says. “You have to believe you are going to be attacked. If you buy a house, you don’t do it in the belief that someone is going to rob you, but you still have to be mindful of the risk. You put locks on the doors and windows, you install a burglar alarm, and you take out insurance. It is the same as any other type of risk for business. You have to invest in controls, security measures, and insurance.”
And the risk is being ramped up by digitalisation. “This is one of the big issues and a major challenge,” says Michaux. “Companies want to improve the customer experience and are using huge amounts of data to do it. The flip side of that is that a lot of people don’t realise these technologies have risks. Everything is moving to the cloud now and there are no on-premise licences anymore. People think that cloud services from a major provider are secure. But they can’t just rely on things to be inherently secure, they have to ensure the correct controls and measures are in place.”
The pace of change is another issue. “Businesses are running at 500k/ph to stay ahead of the competition. They need the technology now and they don’t spend time thinking about security, about what data is being collected, how it is being used, where it is being stored and so on. There is a gap there that needs to be bridged.”
Contagion
The interconnectedness of modern business also presents challenges with attacks on one company causing contagion along supply chains. “One company gets hit, then another gets hit. It’s not the other company’s fault but they still have to be prepared for this and secure their own data.”
And then there are the nation state bad actors. “Every country is investing in cyber capabilities for national security. Ireland is doing it too. And some nation states are obtaining data from other nation states for their strategic advantage.”
Governments can only do so much, however. Michaux points out that much of the critical national infrastructure on which we all depend is actually privately owned. “How do you ensure that telecoms companies protect the networks which they provide?” she asks.
After that there is organised crime. “The criminals are operating in the same way they have always done,” she notes. “The beauty of cybercrime for them is that it is so hard to track. If you see a criminal stealing someone’s bag, you can do something about it. With cybercrime, you don’t see things and it’s not something people talk about.”
But the impacts, while hidden, can be lasting and costly. “It can take between one month and six months’ effort to recover from a breach,” she says. “The cost in management time and in hiring in experts can be huge. You can’t quantify what you can’t see. We have to help people realise that it’s not just something that happens to other people or companies.”
Large, well-established organisations may actually be more vulnerable than SMEs. “Large banks and utilities which are 50 to 100 years old have lots of legacy systems which were not built for today’s world. I have seen power stations using DOS operating systems. There is no way to secure them. They have to look at replacing them to secure them.”
SMEs have to be aware of the risks as well. “If you ignore it, it’s like buying a car without brakes or airbags because you didn’t think about them,” Michaux says. “If you go back and try to put them in later it costs much, much more. If you think about it at the point of design, it is a lot cheaper. The same goes for cyber security. It costs up to 30 times more to put in later. If you have system with zero security and a security professional comes along later to fix it, it will be very expensive. Who is going to bear that cost? Will it be your customers through price increases? The other option is reduced profit margins.”
The best option is to stop and think about security and ask the basic questions about it before you buy a new system, she advises. “No one likes the fact that they can be attacked,” she adds. “But when you are replacing or investing in new systems you have to design in security at the beginning. Any organisation looking at digitalisation needs to put security at the top of the agenda from the very outset. The cost is prohibitively high if it is left until later. We have to look at digitalisation as an opportunity to embed security in the business.”