Nordea On Your Mind: Cybersecurity II

Cybercriminals and cybercrime pose a bigger threat than ever before, both for corporates and individuals worldwide. We are spending more of our time and conducting more business online, and crime is following us into cyberspace.

Online life means online crime

We are spending more of our personal and professional lives online. Almost 90% of the world's population is expected to have internet access by 2030, and 63% of it is already using smartphones. This is fuelling rapid growth in cybercrime as criminals follow us online and exploit the fact that we are still less vigilant than required. Few of us would walk home alone from a party at night through an empty urban park, but when did you last change your login password at work? And how strong is it? Global costs for cybercrime are estimated to have reached USD ~8tn in 2022. To get a sense of the harm done, consider that this corresponds to roughly 20% of the market cap for the S&P 500.

NUMBER OF PEOPLE WORLDWIDE WHO USE THE INTERNET

Multiple threats from different types of cybercriminals

Hacktivists pursue an ideological agenda and can cause damage to corporates through denial-of-service attacks, website defacements, and data theft and leaks, even when their primary target is not a company as such. Organised crime is in it for the money, often targeting corporates directly to carry out theft, fraud or extortion. State-sponsored players sometimes target corporates with specific aims but pose a great risk from big cyberattacks with the intent to cause harm to adversaries. Corporates can suffer major collateral damage in such instances, as was the case with the WannaCry and NotPetya cyberattacks in 2017.

NORDIC VS. EU INTERNET USAGE AS % OF POPULATION

Corporates in the firing line

Cyberattacks cause disruption for companies, and hence cost money. It typically takes a company 200 days to discover a data breach and another 70 days to contain it. Next comes remedies, restoring and rebuilding systems with authorities and regulators in the loop, and lost business in the meantime. The global average cost of a data breach is USD 4.35m, roughly equivalent to 13,600 workdays. We review the attacks against Colonial Pipeline (national emergency with fuel shortages on the US East Coast, with a USD 4.4m ransom paid) and Kaseya (forced closure of Coop Sweden's stores for six days at a cost of possibly up to SEK 600m) in 2021 and against Norsk Hydro in 2019 (production disruption cost of NOK 800m) as examples of the major impact on companies and society. Threats are still out there and companies should plan accordingly.

Cybercrime is a business risk, not an IT problem

Cyberattacks can be an existential risk, which could even lead to bankruptcy. Cybersecurity needs to be seen as a strategic imperative, not a budget item for the IT department, and should be addressed at the top levels of decisionmaking for a company. To reach a decent level of protection against cybercrime, the best place for a company to start is to achieve basic IT hygiene. This entails updated and adequate software and systems, as well as diligence regarding human behaviour – this is usually the weakest link in defences, and one that attackers can use to achieve a breach. The behavioural part of IT hygiene can be addressed through training, coaching, corporate culture and incentive structures.

CYBERCRIME DAMAGE COSTS

Specialists share their views

We gained great help in understanding cyberthreats and key considerations for corporates through our interviews with Juhani Hintikka , CEO of Finnish cybersecurity group Withsecure; Philipp Amann , former Head of Strategy at the European Cybercrime Centre of Europol; Pontus Johnson , Professor at KTH Royal Institute of Technology and Director of the Centre for Cyber Defence and Information Security; and Kamil Medzikowski , Senior IT Security Specialist at Nordea Internal Security Testing.