• Cyberattacks today are potentially as destructive as major natural disasters.
  • Too often, businesses find themselves reacting to - rather than preparing for - attacks.
  • Here are five steps firms can take towards building stronger cyber resilience.

Hurricane Katrina, the Category 5 hurricane that struck Florida and Louisiana in 2005, was the most destructive natural disaster in US history. According to the National Hurricane Center, the storm wrought a staggering $125 billion in damage.

Compare this figure with the potential losses from a large-scale, global cyberattack: experts predict this could cost an estimated $120 billion.

The “NotPetya” ransomware attack, for example, has cost businesses a total of $10 billion and counting, according to White House estimates. The price continues to rise two years after the incident, as insurance claims are litigated.

As with natural disasters, the damage and scope of cyberattacks is increasing. “Threat actors” are craftier and more insidious than ever before, striking without warning and — unlike many natural disasters — leaving their victims little or no time to prepare for the attack or minimize its impact.

The scale and severity of cyber disasters in recent years has captured the attention of business leaders around the world. Cyberattacks are among the top 10 risks, in terms of likelihood and severity of impact, in the World Economic Forum's latest Global Risks Report. In the US, 53% of CEOs are extremely concerned about the impact of cyberthreats on their growth prospects, according to PwC’s Global CEO Survey.

Many organizations have increased investment in their prevention, detection, and response capabilities. Yet they too often find themselves in recovery mode after an attack— and if ransomware is the culprit, wishing they had planned ahead and implemented better recovery options.

Why cyber disasters matter

Natural disasters occur within a discrete area. Cyber disasters, on the other hand, can wreak havoc globally. Malware might spread from a single device to infiltrate entire networks, infecting thousands of business systems.

As a current example, cybercriminals are exploiting the spread of the coronavirus to lure victims with malicious attachments purported to contain a health update or a cure.

Threat actors may target core systems with ransomware, encrypting the data so it can’t be accessed. Victims must pay the ransom or restore their systems using backups. If those backups are connected to the main systems, however, the attackers may lock them, too, leaving no recourse but to pay.

Ransomware is simple and cheap to inflict, but much more difficult and costly to remedy. Businesses must pay far more for prevention, detection and recovery from a ransomware attack — millions of dollars, in some cases. Costs may include:

● Lost customers

● Business disruption

● Fines

● Legal

● Public relations

● Breached client records

● Direct financial loss

● Notification

● Credit card reissues, identity repair, and credit monitoring

● Remediation

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security - to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future - to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact us.

The path to resiliency

How much downtime can your business withstand? If a cyberattack disrupts your business, you need to be back online within your “maximum tolerable downtime", according to new Federal Financial Institutions Examination Council (FFIEC) guidelines. To do so, you must think first about digital resilience as you develop a well-tested and repeatable response and recovery strategy.

There are five components to building cyber resilience in your organization:

1. Know your assets.

A retail customer expects seamless service when they interact with a company: shopping, ordering, billing, fulfilment and customer service. The same holds true in technology, healthcare and professional services.

To fulfil these expectations, business systems are highly interconnected. The downside, however, is that one outage could affect many systems. Knowing what’s connected to what and which functions are critical is essential. Leading businesses use automated processes to maintain a current inventory of all the systems that feed their own, to know which systems or assets to isolate if a disruption occurs. More than half of the “high resilience quotient (RQ)” respondents to PwC’s Digital Trust Insights survey — those that scored high on resilience — said they have automated their inventory and mapping processes.

Cyberattacks are predicted to have the same impact and likelihood as natural disasters
Cyberattacks are predicted to have the same impact and likelihood as natural disasters
Image: World Economic Forum Global Risks Report 2020

2. Know your supply chain.

In the Fourth Industrial Revolution, businesses grow by forging alliances and supply chain relationships. The global supply chain is highly interdependent. Monitoring your third parties is essential to understanding and responding to the risks suppliers might pose.

3. Practice good hygiene.

Cyber hygiene helps maintain system health and improve online security. Practices include systems patching, using secure computers, and phishing detection and education. Global hygiene trends include:

i. Segmenting the network. To prevent malware or viruses from spreading, divide your network into segments so you can isolate and contain malware. Also, know your perimeter so you can control network traffic.

ii. Keeping systems up-to-date. Update your systems periodically with security patches.

iii. Protecting privileges. Certain privileged users have unfettered access to system resources. Protect these user accounts and their access.

4. Plan your recovery.

How much disruption can your organization withstand without crippling its ability to serve its customers? A short recovery time could be expensive, but a longer one might mean a prolonged outage — which is not good for business.

Your company’s best recourse is to design or procure backup and recovery solutions that a) allow you to maintain versions of backups, b) let you access them quickly and c) are impervious to malware that deletes or corrupts backups. Test drive your disaster recovery plan, and do it every time your environment changes, or quarterly.

High-RQ organizations know how much disruption they can withstand and have plans to recover within their limits. About two-thirds of high-RQ respondents to PwC’s survey have set impact tolerances for critical business services.

5. Conduct disaster drills.

A hypothetical disaster drill (also known as a tabletop simulation) helps you rehearse and perfect your organization’s response to a cyber disaster. An effective disaster drill should be realistic, interactive and moderately stressful for participants. Drills should give employees a better idea of their roles and responsibilities in a cyber disaster, and greater confidence in their ability to react. Using realistic scenarios that are less likely will reveal response gaps. Addressing those gaps will improve the response to, and recovery from, a real disaster.

Resilience is worth the effort

Achieving digital resilience entails applying equal vigilance to you and your third parties’ critical business systems. It starts with instilling “resilience by design” into the blueprinting process to ensure that those systems are built for resilience.

Resilience also entails using good cyber hygiene day-to-day. Cyber hygiene isn’t enough, however, to protect your organization against the disruptions that cyberattacks can cause. A well tested and repeatable response-and-recovery strategy can help enable your business remains up and running with minimal interruptions.