As the 2023 annual meeting of the World Economic Forum wrapped up in Davos, Switzerland, it ended with a disturbing prediction from one of the leading voices. Delivering a presentation on the 2023 Global Cybersecurity Outlook report, forum Managing Director Jeremy Jurgens revealed that 93 percent of those surveyed believe that a “catastrophic” cyber security event is likely in the next two years.
By 2025, it’s expected that cybercrime will cost the world economy around $10.5 trillion annually, increasing from $3 trillion in 2015 according to Cybersecurity Ventures. To put that in context, if it were a country, then cybercrime would have the third largest GDP behind the US and China. Key drivers of this growth are the ongoing digitization of society, behavioral changes due to the global Covid-19 pandemic, political instability such as the war in Ukraine, and the global economic downturn.
According to the WEF report, of particular concern is that the nature of cybercrime is becoming increasingly unpredictable. This is due to technology becoming more complex – in particular, breakthrough technologies such as artificial intelligence. This means that we are increasingly at risk of what has been termed a “catastrophic” cyberattack – one that will have severe and ongoing ramifications for society at large.
What are the critical cyber threats in 2023?
According to the WEF report, one of the biggest threats is a “mutating” threat. This could take the form of an AI-enabled virus that transforms as it infects various systems and organizations to evade defense systems or even detection. Prime Minister of Albania, Edi Rama, whose country suffered an attack that brought down critical infrastructure in 2022, spoke about what he had learned since:
“It’s about viruses that can not only block our way of living but can control it and deviate it. So it can use our systems like, God forbid, our air transport systems to hit us back. Imagine if there is a cyberattack on our air transport systems that turn a huge number of airplanes that are flying into bombs.
“What we learned is that this is something that's absolutely naive to think that … any country can tackle this on its own.”
Another example given of a truly devastating cyberattack was an attempt by Russian-linked groups to hack infrastructure in Ukraine following the 2014 invasion of Crimea, which left 230,000 homes without power. In the run-up to the 2022 invasion, 288,000 attempted cyberattacks were detected against Ukrainian businesses and government infrastructure.
At the same time, however, it's likely that much of the forecasted $10 trillion in economic damage will be caused by smaller attacks, simply aimed at stealing or extorting money from businesses or individuals.
During the WEF presentation, Interpol Secretary-General Jurgen Stock spoke about a 2022 operation by his organization against the west-African cybercrime group Black Axe that recently led to the arrest of 70 individuals. Groups like it are made up of professional hackers, fraudsters, scammers, and money-launderers who have become increasingly proficient at credit card fraud, extortion, identity theft, and ransomware attacks.
One of the most common threats – which probably everyone reading this has been a target of – is phishing attempts. Typically, these involve sending out emails that attempt to dupe unwary recipients into disclosing personal details. The details are then used either to steal from the victim or to commit identity theft – perhaps to apply for loans or credits in the victim’s name. Once attackers have successfully taken control of a victim’s identity, they may then go on to use it to attempt to defraud their friends and family, for example, by claiming that the victim is in trouble and urgently needs money.
Phishing attacks like this rely on social engineering, but purely technology-based attacks exist, too, such as malware. This involves installing malicious software onto a targeted system in order to let the attacker control the system or access data on it.
Ransomware is a specific type of malware, which usually works by encrypting the information on a targeted computer and then blackmailing the victim into paying for it to be decrypted – or face losing access to it forever.
One of the reasons for all of these attacks becoming increasingly common is that cybercrime itself has been commoditized now, warned Stock during the presentation. It’s now possible for anyone to log onto a site in a dark corner of the internet and procure either software or hacking skills “as-a-service”, just as if they were buying any other software or IT service.
What can we do?
Accenture CEO Julie Sweet outlined three important steps that all organizations – including governments – should be taking to build up cyber-resilience.
Firstly, what she referred to as “secure the core” involves ensuring that security and resilience are built into every aspect of the organization – not simply confined to running checks on incoming emails. This equates to a strategy we often speak about - ensuring that cybersecurity is on the agenda from the boardroom to the shop floor and not something that's only discussed within the IT department, as has traditionally been the case at many companies.
Secondly, organizations need to address the skills shortage within the cybersecurity domain. One way of tackling this could involve utilizing automation where possible, freeing up professionals to focus on the human challenges – whether that is spreading awareness of the dangers of phishing and the importance of good password practices or understanding the behavioral changes that attackers will be taking advantage of in the near future. For most organizations, this is likely to involve making an investment in training.
Thirdly, says Sweet, leaders need to understand that “Cyber resilience equals business resilience.” Within her own company, the number of cyber threats detected is a key metric that's brought up at every monthly business review. "It's a concrete change that we made to be clear that cyber is the same as financial performance. Thinking about your own culture, your own processes, what has to change so that your entire C-suite understands."
Following these steps would certainly be a good start for any business that wants to ensure they stand the best chance against today’s threats and whatever may emerge in the future. Exactly what the danger could be of a “catastrophic” attack, as described in the WEF report, are difficult to predict. But the fact is, with so much of our business and private lives conducted online, they could be practically unlimited. But it’s certainly worth remembering that the vast majority of attacks could be thwarted by individuals taking sensible precautions and encouraging others we work or come into contact with to do the same.