Companies need to build resilience in face of growing state backed cyber threats

A leading cyber threat expert has warned the ramp up of state backed cyber-attacks has to be recognised by business who will need to invest in greater resilience.

James Gerber, chief financial officer of military specification cyber ranges expert SimSpace warned that the threat from state attacks will only increase and business leaders need to make cyber resilience a priority.

He told Emerging Risks: “Cyber risk should be a priority for every boardroom as cybercrime is an enterprise-wide challenge. Ransomware attacks are on the rise, costing businesses an average of $4.54 million, not including the ransom itself. On top of this, regulators are increasingly putting more pressure on organisations to take accountability for their cyber defence systems.

“A common mistake many organizations make is to leave responsibility to the IT department. In reality, the responsibility for cyber security lies on the shoulders of companywide boards.”

He added regulators are now making it clear that cyber risk must be a board-level-priority and are holding companies directly accountable for any breaches in their systems. Recent manifestos such as Biden’s New Cyber Strategy and the SEC’s new proposal named ‘Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure’, are forcing companies to be open and honest with customers, investors, shareholders, and regulators about their cybersecurity governance abilities.

“In the UK, the government has made clear its plans to require listed companies to publish a ‘resilience statement’ with specific information on cybersecurity risks,” he added. “This growing awareness means that 40% of boards of directors will have a cybersecurity committee overseen by a qualified board member by 2025 according to Gartner.”

Gerber said cyber resilience, like other financial and operational risks, needs to be budgeted and resourced appropriately.

“Senior leaders and managers are crucial in ensuring cyber security is held as a core value within organizations and that staff are dedicated to cybercrime prevention. In this way, companies can reassure their customers and shareholders whilst protecting their own backs. Maintaining a constant state of rehearsal, ensuring your people, processes, and technology all work in concert is the only way to quantitatively ensure this.”

Looking at the threat of state backed attacks Gerber said the risks were growing.

“With the increasing geopolitical tensions caused by Russia’s war on Ukraine, experts have been warning cyberattacks on Ukraine will be used as a template by hackers on a global level,” he explained. “Since the start of the war, Russian-based phishing attacks against email addresses of European and US-based businesses have increased eight-fold.

“Microsoft’s Digital Defence Report 2022 found a disturbing increase in aggressive nation state cyber activity last year. The report revealed the proportion of cyber-attacks perpetrated by nation states targeting critical infrastructure jumped from 20% to 40%, and this is expected to increase this year as the war develops.

“However, nation state actors have become increasingly aggressive in cyberspace even beyond the Russia-Ukraine conflict. These actions are primarily for financial gain, exploiting vulnerabilities to infiltrate, extract, and hold to ransom sensitive data. The surge in cybercrime-as-a-service across all threat vectors, especially ransomware, is leaving organizations at the mercy of cyber criminals.”

Gerber warned: “Businesses need to carry out regular assessments in order to understand their vulnerabilities and exposure points. Training their people, processes, and technology within a high fidelity, simulated cyber range allows originations to understand and improve upon their security weaknesses. As state backed attacks continue to increase, companies need to ensure they stay one step ahead of cybercriminals.”

In terms of insurance cover Gerber said the market was still wresting with its response.

“Cyber insurance is not a silver bullet,” he said. “Although it may assist in the recovery after a breach, it does not prevent a breach, nor does it treat the cause of the problem which is a lack of reliable security protocols. Cyber insurance generally covers the losses relating to damage to, or loss of information from, IT systems and networks.

“However, around 1 in 10 US organisations have no such insurance against cyberattacks. Furthermore, as we’ve seen with Lloyd’s of London, companies are starting to include exemptions that would prevent policies paying out if a major attack is judged to be “state backed.”

“Cyber insurance companies are doing two things: raising rates and rejecting claims which are classed as ‘acts of war’. Therefore, cyber insurance presents a false sense of security.”