November 8, 2020
By Christopher Hetner and Greg Rattray
The narrative around the board's role in cybersecurity continues to shift as the sophistication and impacts of targeted cyber-attacks increase. Boards in both public and private companies are now expected to play a pivotal role in establishing governance, operational resilience, and risk-management mechanisms that address cyber risks impacting their business and stakeholders.
With constantly changing technology, core business processes becoming digitally reliant, and connected devices now pervasive, the risks and potential impact of cyberattacks are higher than ever. Attackers, whether individuals, criminals, or nation-states, are becoming more astute at understanding technical weakness, accessing sensitive data and disrupting business operations, putting pressure on companies to take immediate action to protect their critical assets from the now imminent risk of breaches. To further complicate matters, technology and cyber risks continue to be regarded as an evolving threat to the global economy and organizations worldwide.
The FBI and Department of Homeland Security have issued multiple alerts detailing the increased cyberattacks on medical research and other organizations that have not traditionally been targeted by advanced threat actors. While targeted attacks are not new, we are seeing the nature and objectives of attackers expand. Threat actors are using increasingly sophisticated technology, tools, and techniques, including those produced by nation state militaries and intelligence organizations.
Yet, most organizations still just react, investing in cybersecurity programs based on regulation and common maturity frameworks rather than proactive risk mitigation strategies. While these cybersecurity programs are essential to promoting good cyber practice, reactive approaches do not adequately counter targeted attacks. As targeted attacks evolve, organizations need to commit to specific defensive investments in tools, techniques, and skills to buy down risks efficiently.
Since cyber specialists started referring to Advanced Persistent Threats (APT) in 2007, the numbers and nature of targeted attackers and their objectives have grown substantially. Initially focused primarily on national security espionage, targeted attacks now pose threats to a wide array of industries aiming to achieve a variety of objectives. The level, sophistication, and impact of targeted attacks have also expanded from data theft to technology disruption to now corporate ransoms and a variety of hybrid combinations.
The next evolution of highly capable targeted attacks occurring in the past decade has caused material disruption to businesses worldwide. The cyberattack on Saudi Aramco illustrates the disruption and destructive nature some targeted attacks have. The attack destroyed the functionality of 35,000 computers over two days and caused disruption at a large enough scale to threaten 10 percent of global oil production. Sophisticated actors have become extremely flexible in ways to employ new disruptive modes of attack. Attacks have evolved to include ransomware against cities and large firms. The recent case of Garmin this July highlights the targeted nature of the most impactful ransomware attacks. Educated and capable attackers understood Garmin would most likely pay the ransom due to Garmin's dependence on networks being online and available to support customer operations. The attack knocked Garmin's networks offline for 24 hours until the company paid the $10 million ransom. Full business losses, from reputational damage to disruption costs, are still unclear.
While these examples are of well-known global companies, the industry has witnessed private companies that fit the small and medium-sized businesses (SMBs) profile increasingly suffer from ransomware attacks. One of the largest cyberattacks in recent years targeted a privately held Australian company named Canva. This attack impacted 137 million user accounts.
So far in 2020, 20 percent of ransomware victims are SMBs, and 85 percent of managed service providers (MSPs) reported ransomware as a common threat to SMBs. All in all, 43 percent of cyberattacks target small businesses, ransomware, or otherwise, with the United States being the most targeted country in the world, suffering 38 percent of targeted cyberattacks. A primary driver in increasing attacks against SMBs is a lack of dedicated cybersecurity resources compared to large enterprises.
Ransomware attacks cost the globe roughly $8 billion in 2018; in 2020, it is estimated to reach $20 billion. Risks from targeted attacks are likely to only maintain their accelerating upward trajectory, especially as the centrality of the digital environment to delivering and sustaining business services continues to grow.
As targeted cyberattacks continue to grow in number and sophistication, executives and board directors should expect increased expectations to proactively manage their cyber-risk exposure. Below are basic principles the board should expect of management to address cyber risk:
The stakes are higher than ever before for board directors to ensure proper cyber risk oversight and management practices are established. These fundamental mechanisms start with an understanding of material cyber threats and risks impacting the enterprise. Once understood, making informed investments to address these cyber threats and risks will afford protections and increase company value.
Chris Hetner serves as the Cyber Risk Advisor at the National Association of Corporate Directors and expert advisor, Institute for Defense Analyses (U.S. Department of the Treasury).
Greg Rattray is partner and co-founder of Next Peak, a cybersecurity risk management firm, and senior advisor on cyber risk management and cyber defense to Oliver Wyman, a global risk consultancy.