This blog is part of the Board Oversight Series, an interactive collection of resources on Cyber Risk.
As cyber risk becomes a fixture atop board agendas, today’s directors face an interesting paradox. The things that drive growth at today’s companies—mergers, acquisitions, globalization, digitization—are also the things that expose the organization to momentous new risks. As board members survey today’s risk environment, it’s important for them to be aware of any new and dangerous trends that may be coming down the pike. Expanding on Cybersecurity Ventures’ 2017 Cybercrime Report, we outline four nascent trends in the world of cybercrime that all directors should have on their radar.
Ransomware attacks are expected to increase in numbers and complexity.
Every 40 seconds, a business falls victim to a ransomware attack. By 2019, that’s predicted to rise to every 14 seconds (Cybersecurity Ventures report). Global ransomware damage costs have multiplied fifteen-fold since 2015, which demonstrates how quickly this dangerous trend is rising.
For those who are unfamiliar, ransomware is a malware software that infects and takes over a company’s computer systems and other electronic devices. Attackers typically demand a ransom to restore access to the systems. While law enforcement officials advise organizations not to pay these ransoms, companies can be placed in precarious positions when the ransomware virus threatens to expose sensitive customer data or disrupt patient care, for example, in the case of a hospital or medical institution.
Board veteran Betsy Atkins advises all boards to outline a ransomware policy as part of their cybersecurity preparedness. A ransomware policy establishes the chain of command in the case of a ransomware attack, along with appointed decision-makers and anticipatory stakeholder messaging. At the least, boards should take the necessary steps to educate themselves on the nature of ransomware attacks and should discuss how company operations could potentially be impacted.
Smartphones and mobile devices will become greater targets as malware evolves beyond PCs and laptops.
PCs and laptops have been the primary forum for cyberattacks; however, cybersecurity experts are predicting a refocusing of malware to smartphones and other mobile devices (Cybersecurity Ventures report). As smart devices become even more connected and integrated with desktop applications, mobile devices become easier targets for cybercriminals. Many corporations give employees reimbursement for using their own cell phones and other devices for business use. Boards should be engaging with their CISO and management team to understand how these devices could be used as a potential entryway to corporate networks.
Billions of under-protected IoT devices will be deployed in the next few years leading to greater connectivity, but also greater risk.
As Internet of Things (IoT) devices undergo an exponential expansion in the years ahead, cybersecurity experts predict that the majority of these nodes will be under-protected. The term “IoT” is used to describe a network of physical devices (e.g., phones, cars, home appliances, electronics) that enable inter-connectivity and data exchange.
As the connectivity between personal and business devices becomes even more fluid, cybersecurity experts expect to see a notable increase in attacks related to IoT devices. In a survey of 800+ IT security professionals, 90% of respondents said they expect connected devices to be a major issue in the years ahead (The Internet of Evil Things, Pwnie Express).
The healthcare industry has been a prime target for cybercrime in recent years. As they bolster their defenses, experts expect criminals to transfer their efforts to other industries like construction, education, advertising, financial services, governments, and law firms. Cybercrime in the legal field could compromise the confidentiality of court cases. Cyberattacks against governmental agencies could affect employment, payroll, elections, and cause other paralyzing damage. No industry or organizational structure is immune.
As attacks against government and businesses are growing increasingly more sophisticated, the cybersecurity skills gap is widening at an alarming pace.
As cybercriminals continue to outpace cybersecurity defenses, one of the greatest risks to today’s global companies is the shortage of cybersecurity talent.
“The greatest virtual threat today is not state-sponsored cyber-attacks; newfangled clandestine malware; or a hacker culture run amok,” said John Reed Stark, former Chief of the SEC’s Office of Internet Enforcement. “The most dangerous looming crisis in information security is instead a severe cybersecurity labor shortage.”
Boards and management teams need to examine their own talent development and training efforts to ensure programs are in place to internally develop these skill sets, as they will become invaluable to the company in the years ahead. From a long-term perspective, what are today’s companies, government agencies, and education systems doing to address the talent shortage and spark interest/opportunities in cybersecurity for today’s youth?
As cybercrime continues to evolve at a rapid pace, today’s boards and management teams must be prepared to assess the significant risks these trends pose to their companies. The impact of these trends ripple outwards to the corporate secretary, who must also find new ways to educate directors on cyber risk and curate relevant information from across the company. Finally, how are the members of your board communicating with one another? A recent research report by the New York Stock Exchange and Diligent allows boards to compare their communication practices to other boards, and more importantly, to identify ways in which they might be putting the company at risk. Download the report here.