Uber and the NHS are only two of the latest high-profile victims in a vast arc of cyber protection scandals to hit over the past two decades, impacting everyone from Joe Bloggs on his laptop to big Asian banks. Disrupted for at least a week after ransomware (WannaCry) demanded $300 per infection, the NHS attack in particular sent shockwaves through the world media.
The spread of cyber-attacks should come as no surprise, however. Cisco has predicted that by 2020, some 50 billion devices will be connected to the internet. And thanks to the Internet of Things there is now web-enabled software in everything from cars and planes to fridges and animals. At a time when coffee machines have IP addresses and voice-activated TVs continually listen in on us, a lot of effort is required to keep our digital data safe.
When you’re only as strong as your weakest link (and digital networks are full of links) you have to trust that each and every chain on the link is safe. When you remotely access your brand-new video baby monitor that you bought from a start-up off Kickstarter, you need to know that they have the right level of security on their servers to stop your data being accessed and keep your home safe and secure. Almost anything we use could be employed to spy on kids, steal information such as passwords and personal data, or tap into GPS to track anything from parcels to empty houses.
It’s not just the little people who can be hounded, either. In fact, more lucrative targets involve household names, such as Tesco (which had 40,000 bank accounts “compromised”), San Francisco’s public transport system (which had its payment systems neutered), the Philippine government (which lost the personal information of every single voter), and Yahoo, which had “the biggest data breach ever recorded” in 2014, when up to 500 million customers had their data pinched.
The reason most of these attacks are successful is that no two battles are the same. There are, however, patterns that can be discerned. Some of the standard lines of attack involve a variety of approaches, from malware (SQL injections and session hijacks that are invasive to your device through clicking attachments, malicious code or intercepting traffic) to phishing and stolen credentials (which rely on gaining access to your data either directly from yourself or bought wholesale from third parties on the ‘dark web’) and finally, denial of service attacks that are orchestrated assaults to bring down websites through sheer weight of traffic alone.
These manoeuvres contribute to some startling statistics. Juniper Research predicts the cost of data breaches globally will hit $2.1 trillion by 2019, which is equivalent to the GDP of India last year. Global Cyber Security forecasts a $1 trillion spend cumulatively over the next five years on cybersecurity projects. This is big news, especially when the industry was worth only $3.5 billion around a decade ago, but looks set to hit $120 billion this year. However, it is the facts behind the headline figures that are, if anything, more alarming.
According to the 2015 Cost of Data Breach Study, the average total cost of data breaches has increased 23% over the past couple of years to $3.8 million. These are not isolated incidents, either. In the UK, 66% of businesses experienced a cyber-attack in the last year according to the 2016 Cyber Governance Check, and it usually takes a company an average of 205 days before it even manages to identify an infringement.
But who is behind this increase in attacks? Twenty years ago, it was recreational bedroom hackers simply testing their skills. Then the criminal gangs got in on the action, stealing credit card details. A decade ago, ‘hacktivists’ like Wikileaks rose to prominence, seeking to expose governmental and industrial secrets. In recent years, the emergence of state-sponsored attacks has been on the rise – the Stuxnet attack by the US and Israel on Iran’s nuclear programme was the first to really come to light. Nowadays, accusations of foreign meddling in domestic elections (US, France, Brexit) are levelled on a regular basis.
Robert Mueller, former Director of the FBI, was very open about the threat: “There are two types of companies: those that have been hacked, and those that will be”. The reality, then, is not wondering if, but preparing for when, a cyber-attack will hit. Over the next few years, chess pieces in the grand game will shuffle. Customers will start to insist on the Internet of Things becoming “secure by design”, in a manner that is similar to how mobile phones are starting to demand fingerprints for transactions. Companies will demand cyber risk insurance, which would cover for a loss of reputation and trust with their customers after incidents. Where will liabilities lie? Will it lead to prison terms for company CEOs and CTOs whose perimeter walls are breached?
The consumer reaction to companies that are hacked tends to be more punitive than the fines courts could levy. Reputations are shattered, revenues plummet and customers leave in droves. A British telecoms company, TalkTalk, who were hacked in 2015, lost £60 million in revenue as well as over 100,000 customers. One of the first large UK companies to face a prominent hack, there was confusion over what to do. Dido Harding, CEO of TalkTalk said, “The advice we had from the Metropolitan Police was not to tell our customers”. The perpetrator was a 16-year-old boy showing off to his mates.
The question is how to protect a company when it is connected to myriad suppliers. RiskVision, a risk intelligence company, has identified that 80% of corporate breaches come from a third party, a supplier or vendor. For example, US store Target was hacked through a small refrigeration company who had access to their networks, which resulted in the theft of millions of credit cards. Then there was the oil company that was accessed by ‘infecting’ the menu of a local Chinese takeaway with malware, which employees would download, open up and order from.
We might think that cybersecurity is something that only tech companies and multinationals need to worry about, but in an increasingly interdependent world, we all need to know that opening a restaurant menu or chatting in front of a TV isn’t going to cost us dearly. Cybersecurity is an issue that is going to have ramifications for everyone from the smallest ‘mom and pop’ businesses to giant global corporations.
Businesses are having to approach cybersecurity rigorously, and data breaches are hugely expensive in terms of reputation and revenue. To succeed in the brave new digital world, companies and corporations are going to have to ensure that everyone in their supply chain is as safe and secure as they are if they are going to keep their good name intact, which means that almost everyone will need to invest in top-level cyber defences. As Ginni Rommety, CEO of IBM puts it, “cybercrime is the greatest threat to every company in the world”.
Cybersecurity isn’t going away. Still in its relative infancy, it is an area that is only going to become more important over time. The threats will increase and the attacks will become smarter, meaning a constant need for reinvention and monitoring. This is why cybersecurity is a long-term trend to be aware of, and why it should form part of a comprehensive and strategic approach to investment.
 The Telegraph
 Cisco – The Internet of Things
 The Independent
 CNBC The Big Crunch with Eric Chemi
 Juniper Research – Cybercrime will cost businesses over $2 trillion…
 Trading Economics
 Gov.uk – Cyber Security Breaches Survey
 IBM Digital Nordic
This article is designed to throw an everyday lens on some of the issues being discussed and debated by investors across the world; it is not research, so please do not interpret it as a recommendation for your personal investments. If something has piqued your interest and you would like to find out more or discuss what investments might be suitable for you, please contact one of our Investment Managers on 020 7337 0777.