The tools and practice of cybersecurity are the defining architecture of enabling business continuity in the digital age. Emerging from the domains of information security and electronic warfare, cybersecurity today embodies technology, tactics and standards that remain strongly associated with IT.
The world’s first publicised CISO was appointed in 1995; since 2009, Chief Informationi Security Officers have risen to become a fixed feature of companies in every sector. The critical role of cyberspace in the global economy was illustrated by the 2017 ransomware attacks that temporarily disabled logistics firms and utility services. Estimates by global insurers place the potential losses from a single attack on a leading cloud service provider at €43 billion.
Cybersecurity is a €100 billion global business, driven by increasingly sophisticated threats across an ever-expanding attack surface: by 2017, 600 million malware variants have been identified. The advent of the Internet of Things (IoT), connected Industrial Control Systems, digital finance and the mobile workforce have created a deep marketplace for cybercriminals to exploit. Delays in threat detection and remediation augment the impact of a single breach, while poor security auditing of third-party providers extends the attack surface well beyond the organisation. An international menace, cyber criminals exploit differences in the capacity and authority of companies and governments to respond. Current estimates suggest that cybercrime costs the global economy approximately €485 billion.
In this fast-moving industry, the technologies and tactics are personality-led among innovative companies, rather than government R&D; the global cybercrime business is similarly sophisticated, using many of the tools and tactics employed by nation states and corporations. International alliances and shared threat intelligence, e.g. in financial services and in the Internet of Things (IoT), have emerged only in the past five years. The tools and tactics that enable cyber attacks are also part of today’s cyber defence; among them, deception, encryption and Artificial Intelligence are likely to feature prominently in 2018 and beyond.
In evaluating their cyber risk posture, companies typically assess (i) their valuable assets and knowledge; (ii) vulnerable endpoints, assets and people; (iii) costs and insurance liability; (iv) in-house knowledge and skills that can be readily applied to cybersecurity. The responsibility audit considers proportionality, jurisdiction, response and corporate citizenship. At the helm, the modern CISO must understand not only the technologies and tactics in building an effective defence, but also the business context. Much more than ‘just’ the IT, the CISO must be skilled in conflict resolution, collaboration and influence to enable rapid adaptation of the company’s human and digital systems. Today it is widely acknowledged that at any scale, effective cybersecurity is primarily an organisational change problem, requiring the rapid implementation of new technology, language, tactics and business processes.
What is cybersecurity?
Cybersecurity describes the activities and technologies that collectively defend the assets and interests of an organisation (or a nation state) in cyberspace. A global industry, valued at approximately €100 billion, the business of cybersecurity includes the operations, tactics, network systems, software, algorithms and devices that protect organisations against security breaches, data theft and sabotage of computer networks.
At the scale of a nation state, cybersecurity extends to the protection of critical infrastructure, public services and transport systems. Vital to sustaining ‘business as usual’, many countries including France, Germany and the UK today consider cybersecurity as part of their national security. In 2016, the official designation by NATO of cyberspace as a zone of operations in which international laws apply1)NATO [http://www.nato.int/cps/en/natohq/topics_78170.htm], elevated the critical role of cyberspace in the global economy.
|2||Check Point Software Technologies Ltd.||16.8||16|
|3||Palo Alto Networks||14.7||12.5|
The term cyberspace encompasses public and private networks, the surface and dark web, cloud storage, Industrial Control Systems (ICS) and the Internet of Things (IoT). Any system or device that is connected to the internet, or otherwise exposed to connection (including sensors, mobile and data storage devices) is vulnerable to exploitation and attack.
Across and through this virtual terrain, criminal networks utilise the advantages afforded by pervasive internet technologies and ubiquitous communications to obfuscate their identity and build criminal networks — at relatively low cost compared with conventional international crime.
Cybercrime describes broadly two types of activity: (i) criminal activities in which IT systems and devices are both the tool and the target; and (ii) crimes which are increased in their scale and reach by cyberspace (such as terrorism, crimes against children, fraud, theft of data and/or assets, trafficking)4)INTERPOL [https://www.interpol.int/Crime-areas/Cybercrime/Cybercrime]. Cyber criminals use a range of tools and techniques (including Advanced Persistent Threat, Distributed Denial of Service, malware, ransomware, domain hijacking and botnets) to enable and augment the effects of their activities. The same techniques are used by nation state actors in cyber warfare.
Worldwide, internet access has grown from about 6.7% of the global population in 2000, to 52% by January 201810)Naughton, J. (2016), ‘The evolution of the Internet: from military experiment to General Purpose Technology’, Journal of Cyber Policy, 1:1, 5-2 [http://dx.doi.org/10.1080/23738871.2016.1157619]. Initially created as a research tool, the internet has grown rapidly since 1995 to serve every sector of the global economy. Embedded in global commerce, entire industries are today based on this virtual world. Financial services apps, encrypted messaging and other mobile platforms serve an increasingly large population, with an estimated 70% of the global population using a smartphone by 2020)11)Ericsson Mobility Report, November 2016 [https://www.ericsson.com/mobility-report] . For companies of all sizes and activities, cybersecurity is the cost of doing business in the digital age.
In May and June 2017, ransomware made headlines with a single attack propagating rapidly through global supply chains, while cyber attacks on healthcare systems in the US and the UK demonstrated the vulnerability of public services. Deception is key to the success of cyber attacks at scale: in Switzerland, 2017 saw an increase in incidence of encryption Trojans launched by faking the identities of trusted federal services and global brands12)‘Encryption Trojans and malicious emails in name of authorities on the rise’, Semi-Annual Report, 2 November 2017, Swiss Reporting and Analysis Centre for Information Assurance [https://www.melani.admin.ch/melani/en/home/dokumentation/reports/situation-reports/semi-annual-report-2017- 1.html].
In Germany, companies are increasingly the target of ransomware, APT attacks and cyber-espionage13)‘The State of IT Security in Germany 2017’, Federal Office for Information Security [https://www.bsi.bund.de/EN/Publications/SecuritySituation/SecuritySituation_node.html]. The ransomware threat is likely to persist through 2018, along with attacks on cloud security, Internet of Things (IoT) and the Android operating system14)Gartner (2018), ‘5 Trends in Cybersecurity for 2017 and 2018’ [https://www.gartner.com/smarterwithgartner/5- trends-in-cybersecurity-for-2017-and-2018/] which is used in most of the world’s smartphone devices.
For all its technology-bound image, the world of contemporary cybersecurity is strongly influenced by individual people, the IT veterans who have become the voice of the industry and its challenges. Cybersecurity is a global business, yet its knowledge networks and conversations are concentrated in the US and Europe. Regional dialogue in the Middle East and around Asia’s financial hubs has visibly emerged only in the past few years.
The cyber threat landscape is advancing more rapidly than the security architectures can devise attack prevention solutions. Sharing of threat intelligence and innovation in not only technical solutions but also methods for implementing organisational change – knowledge about ‘what works’ – is vital if industry is to neutralise the risks and build a cyber-secure economy. The geographical bias in the contemporary debate around cybersecurity creates two challenges for the knowledge ecosystem: (i) avoiding group-think around threat characterisation and solutions; (ii) avoiding transplant of organisational change methods from one geography to another locale, without adaptation to, or redesign for, other business cultures, traditions and communications. To mitigate pan-industry ‘group- think’, cybersecurity requires a more nuanced, adaptive and inclusive dialogue, far beyond sharing threat intelligence and debating compliance standards.
Beyond measures of financial value, innovation within the global cybersecurity business is indicative of the rate of change in the industry. Cybersecurity Ventures produces an annual list of the top 500 most innovative, visible and active cybersecurity firms across a broad range of services15)Cybersecurity Ventures (2017), Cybersecurity 500, updated August 2017 [https://cybersecurityventures.com/cybersecurity-500-list] (see table 2). 74 of the companies featured among the CV500 Index are based in Europe (see A1: Companies and indicators). While none of the top ten firms are Europe-based, noting that innovation in cybersecurity is strongly influenced by strength of interpersonal networks and leadership, it is likely that there is knowledge flow between discrete geographies (e.g. from Israel to the US and Europe) that is not represented in this index: further research is needed to investigate the structure of the knowledge architecture that underpins global innovation in cybersecurity.
|Rank||Company||Cybersecurity Sector||Corporate HQ|
|1||Herjavec Group||Information Security Services||Toronto, Canada|
|2||IBM Security||Enterprise IT Security Solutions||Waltham, MA|
|3||Raytheon Cyber||Cyber Security Services||Waltham, MA|
|4||EY||Cybersecurity Consulting & Advisory||London, UK|
|5||Mimecast||Email Security||Watertown, MA|
|6||KnowBe4||Security Awareness Training||Clearwater, FL|
|7||Cisco||Threat Protection & Network Security||San Jose, CA|
|8||Sophos||Anti-Virus & Malware Protection||Abingdon, UK|
|9||Sera-Brynn||Cyber RIsk Management||Suffolk, VA|
|10||Lockhead Martin||Cybersecurity Solutions & Services||Bethesda, MD|
Viewed through the lens of the global dialogue on cybersecurity, the most innovative companies may not be the most influential16)Martin, S. (2016), ‘10 Cybersecurity Twitter Profiles To Watch’, Dark Reading, 7 April 2016 [https://www.darkreading.com/vulnerabilities—threats/10-cybersecurity-twitter-profiles-to-watch/d/d-id/1325031] . Twitter provides an indicator of the cybersecurity conversations that are shaping the business. 2016 analysis by Onalytica17)Onalytica, 6 April 2016 [http://www.onalytica.com/blog/posts/cyber-security-and-infosec-top-100-influencers- and-brands/]; Onalytica, 20 May 2015 [http://www.onalytica.com/blog/posts/cybersecurity-2015-top-100- influencers-and-brands/] identified the top 100 brands in cybersecurity, based on their Twitter activity (see table 3 and A1: Companies and indicators).
|Kaspersky Lab||Daniel Miessler, IO Active||1||INTERPOL_Cyber||Trevor Timm|
|Digital Forensics||Khali (pilgrim), Krypto Security||2||Stanford Universitiy||Eugene Kaspersky|
|Tripwire Inc.||Joseph Steinberg, Secure my Social||3||Trend Micro||Gabey Goh|
|Bitdefender||Lesley Carhart, Motorola||4||Kaspersky Lab||Ben DiPetro|
|nixCarft||Greg Linares, Vectra||5||RSA Conference||Eric Chabrow|
|Alert Logic||the grugq, independent||6||Re/code||Zack Whittaker|
|CSOnline||Gavin Millard, Tenable Network Security||7||ZDNet||Charlie Osborne|
|FireEye||Jeremiah Grossman, WhiteHat Security||8||Symantec||Jennifer Granick|
|DarkReading||Chris, Eng, Veracode||9||Homeland Security||Sara Sorcher|
|Inforsecurity||Jason Haddix, bugcrowd||10||TechCrunch||Peter W. Singer|
Cybersecurity is a fast-changing knowledge network, predominantly based in the US and Europe, but with increasing visible contributions from the Far East, Middle East and Asia. In the space of a year, identifiable thought-leadership evolves as new challenges emerge and new companies take form or gain recognition through the plethora of conferences, hackathons and cyber summits. Themes and issues also trend over time. A good indicator of ‘what’s hot’ in cybersecurity is the annual RSA Conference, among the leading forums worldwide for thought-leadership on cybersecurity. Recurring themes in recent years include: threat detection, AI and big data, insider threat, standards and compliance and the cyber skills shortage18)RSA Conference [https://www.rsaconference.com/events]. Yet despite this fast-paced dialogue and continual information flow, very few names feature more than once in the annual rankings, suggesting that:
- the key issues are changing rapidly;
- the most urgent priorities are shifting among sectors, e.g. healthcare (2016), finance (2015);
- influencers are losing / gaining their position by narrowing their scope of focus, or migrating to another problem space.
What do companies need to know about cybersecurity and why?
Every company that uses the internet, stores data in digital formats or communicates using smartphones, is at risk from cyber attack and data theft: it is not currently possible to totally eliminate all risk. Beyond IT, cybersecurity is principally an organisational change problem, requiring a risk management solution.
Threats and issues
Rapidly expanding attack surface
The global attack surface describes the public and private networks, servers, data encryption services, cloud storage, mobile devices, Industrial Control Systems (ICS), sensors and monitors, IoT, satellite networks and maritime communications systems that serve the digitally-enabled economy. Rapid innovation in digital services, cryptocurrencies and communications is expanding the opportunities in cyberspace for criminals who are equipped to exploit vulnerabilities – old and new.
The digitisation of the world’s finance systems opens new vectors for cyber attack.
Venture funding in digital finance doubled worldwide from 2014 to 2015, to just over €117 billion19)‘Ensuring Cybersecurity In Fintech: Key Trends And Solutions’, John Villasenor, Forbes, 25 August 2016 [https://www.forbes.com/sites/johnvillasenor/2016/08/25/ensuring-cybersecurity-in-fintech-key-trends-and- solutions/]; ‘The World’s Top 10 Neo- and Challenger Banks in 2016’, FintechNews, 3 September 2016 [http://fintechnews.ch/fintech/the-worlds-top-10-neo-and-challenger-banks-in-2016/6345/] . Advocates of cryptocurrencies claim that digital finance has security ‘built-in’, “because security and privacy are central to the protocol”20)‘How blockchains are redefining cyber security’, Information Age, 14 December 2015 [http://www.information- age.com/how-blockchains-are-redefining-cyber-security-123460713/] and Bitcoin maintains that Blockchain is secure by default, because it’s decentralised21)‘Blockchain is the next line of defense for cyber security’, Bitcoin, 19 June 2016 [https://news.bitcoin.com/blockchainn-next-defense-cyber-security/]. Attacks in 2016 on Dao and Bitfinex cost approximately €41 million and €53 million respectively22)Cyber attacks raise questions about blockchain security, Financial Times, 12 September 2016 [https://www.ft.com/content/05b5efa4-7382-11e6-bf48-b372cdb1043a], while in January 2018, a €435 million raid on a cryptocurrency exchange in Japan is the largest-known heist to date23)Center for Strategic and International Studies (2018), ‘Significant cyber incidents, 2006 – 2018’ [https://www.csis.org/programs/cybersecurity-and-governance/technology-policy-program/other-projects- cybersecurity]. As with any new technology, problems are likely in the early phases of its evolution, but these incidents raise questions about the assertion that digital finance is secure by design.
The advent of IT-enabled Industrial Control Systems (ICS) and advanced sensor networks has increased exposure of the world’s critical infrastructure – the water, energy, telecommunications and other services that enable civilisation to thrive – particularly in cities. ICS that are internet-connected but predate internet in their design are particularly vulnerable, e.g. hydropower controls and radiation monitoring systems. Disruption or failure of one or more critical infrastructure services, even for a short time, can have serious consequences for populations.
Unsolved vulnerabilities, slow response
The first line of cyber defence requires characterisation of risks and vulnerabilities, whether at the scale of a single device, a household or an entire company. Investing in cybersecurity is of little value if weaknessesremain unknown or unsolved. Software vulnerabilities must be identified and patched or remedied, as far as possible; the CVE database27)Common Vulnerabilties and Exposures database [https://cve.mitre.org/] (a reference of known weak spotsused by cybersecurity professionals worldwide), while useful in building collective defence, is not a comprehensive reference28)BIS (2017), op. cit..
Failure to detect a security breach is now recognised as among the principal factors compounding the cybersecurity challenges faced by companies, particularly in healthcare and financial services. In 2016, the industry’s most comprehensive global survey (2,260 analysed breaches from 82 countries) reported that web app attacks accounted for 48% of all security incidents afflicting financial services firms, with exfiltrated data stolen within minutes in 78% of all incidents29)Verizon (2016), ‘2016 Data Breach Investigations Report’ [http://www.verizonenterprise.com/verizon-insights- lab/dbir/2016/]. Yet 54% of the firms surveyed took several weeks to discover that a security breach had occurred.
Malware infection is a common basis for many forms of cybercrime. By 2017, 600 million variants of malware were known (see figure 2); from January to May 2017, 280,000 new variants were observed per day30)‘The State of IT Security in Germany 2017’, Federal Office for information Security, June 2017 [https://www.bsi.bund.de/EN/Publications/SecuritySituation/SecuritySituation_node.html]. Malicious code embedded in Microsoft Office files (as email attachments) and infected download links are common vectors through which sophisticated and sustained attacks are launched. Today’s cyber attacks are not limited to breaking and entering: combined with techniques from more conventional forms of corporate espionage, social engineering and exploitation of digital finance, the effects of cybercrime can be rapid, extensive and expensive.
Expensive to fix
2016 analysis by IBM and the Ponemon Institute reported that the average cost of a security breach, per data record, was €130, with total costs proportionate to the scale of losses (ranging from approximately €1.7 million for breaches affecting less than 10,000 data records, to €5.5 million for 50,000). Remediation costs were highest in the US and Germany and varied by industry, with a per record cost (i.e. the total cost of a data breach divided by the size of the data breach) of €181 in the financial services industry32)Ponemon Institute / IBM (2016), op.cit..
The scale and activity of cybersecurity investment varies by industry. Some emphasise compliance and risk mitigation, others focus on IT defence. A 2016 survey by Accenture and Oxford Economics measured firms’ cybersecurity performance across 33 indicators in 12 industries, worldwide33)Accenture / Oxford Economics (2017), ‘The Accenture Security Index’ [https://www.accenture.com/gb-en/insight-accenture-security-index], concluding that overall, companies performed acceptably well in only eleven out of 33 indicators. Banks ranked second (after telecommunications) with a high rating in eight of the 33 capabilities, including threat scenario analysis and utilisation of third-party solutions providers.
Governments are limited in their capacity to respond, either through technology or laws, by: (i) risk of exposing their cyber warfare capabilities; and (ii) timeframe required for investigating, drafting and enforcing legislation. Companies are in the front line of cyber defence and are leading the cutting- edge of cybersecurity research. Cybersecurity is the cost of doing business in the digital age and is principally about managing risk34)‘Cyber Security: the cost of immaturity’, The Economist, 12 November 2015. The four questions companies everywhere typically ask are:
Why ‘information security’?
Contemporary cybersecurity has evolved from the worlds of information security and defence35)von Solms, R., van Niekerk, J. (2013), ‘From information security to cyber security’, Computers & Security, 38, 97-102. Electronic warfare (EW) was an established field, thirty years ago. With the advent of digital communications, EW gave way to the age of information warfare (IW), as outlined in the published military doctrines of Russia (1991) and the UK (2003). While there is still no single definition of ‘cyber warfare’, either in popular use or in international law, today’s use of cyberspace in the battle for geopolitical advantage is generally understood to describe activities that augment – or precede – the effects of conventional warfare, using data, devices and networks to accomplish acts of war that cannot be done using only conventional weapons, people and espionage36)Daultrey, S. (2017), ‘Cyber warfare: a primer’ [https://sdaultrey.net/downloads/Daultrey-S-Cyberwarfare-09- 2017.pdf]. Nation states define the term differently, for example, China uses the term ‘information operations’, while Russia refers to ‘information warfare’.
In the corporate world, the era of information management (circa 1970 -1990) gave way to the age of digitised knowledge management (1990 – 2010) with the widespread use of service platforms such as SaaS, AWS and Google. With the increasing use of machine learning and big data, the business of information security is experiencing a new phase of innovation. Corporate data is not only digitised, it is blended with information about geolocationas well as price and network performance, to deliver the goods and services on which today’s global, connected economy depends. Algorithms use data about the behaviours and preferences of private citizens to suggest and enhance products and services, manage transportation networks and combat financial fraud. Data is no longer a static entity in a filing cabinet that can be locked or permanently archived. Decisions about information security begin not with auditing the value of data holdings, but with identifying which nodes and networks of the digital infrastructure contain the worst vulnerabilities.
The dominance of technology firms in today’s global cybersecurity conversation suggests that the image of information security as primarily a technology business, is likely to persist. IT companies such as CISCO, IBM and Microsoft have evolved from global providers of technology platforms, software and services, to become the principal architects of the digital age.
The cyber era
Cybersecurity is a pre-requisite for enabling business as usual: it is a core requirement for both securing the information technology that powers standard business operations and creating a stable environment for innovation. Today’s cybersecurity industry is influenced by two trends that have evolved only during the past five years: (i) increasing sophistication, scale and visibility of cyber attacks; (ii) emergence of international coalitions of companies, sharing threat intelligence and best- practice. Concurrently, bilateral and multi-lateral agreements among nation states on combatting threats to cyberspace38)Carnegie Endowment for International Peace, Cyber Norms Index [http://carnegieendowment.org/publications/interactive/cybernorms], signal that the time of international cybersecurity laws is near.
In 2017 the International Telecommunications Union (ITU) (a specialised agency of the UN) surveyed the performance of 193 nation states against five metrics39)ITU Global Cybersecurity Index 2017 [http://www.itu.int/en/ITUD/Cybersecurity/Pages/GCI-2017.aspx]: (i) legal (cybercrime laws, regulations); (ii) organisational (collection of metrics on cybersecurity, national strategy); (iii) technical (industry standards); (iv) capacity building (training for cybersecurity professionals, public awareness); (v) cooperation (international, interagency and public-private sector). The top ten countries included Singapore (at #1), the US (#2), Estonia, Georgia and France.
The profile of cybersecurity in the decisions and priorities of nation states has evolved at different rates, driven by opportunity and threat: for example, in Singapore, the critical importance of international financial services to the national economy coupled with an urban infrastructure that is data-driven, places cybersecurity among the core concerns for Singapore’s national security. Georgia’s experiences of cyber attack in 2008 coupled with military incursion by Russia, were likely an early formative phase in developing Georgia’s responsive national cybersecurity strategy.
Incentives among companies to ‘take cybersecurity seriously’ are evolving at different rates across industry verticals. An early example of corporate leadership on cybersecurity was the Cyber Security Industry Alliance, which took form in 2004 and was essentially a lobbying and advocacy group in Washington, DC40)CISCO Security Activity Bulletin, CSIA, 27 February 2004 [https://tools.cisco.com/security/center/viewAlert.x?alertId=7301]; ‘Cyber Security Industry Alliance Kicks Off Sarbanes-Oxley Compliance Initiative’, HelpNet Security, 15 December 2004 [https://www.helpnetsecurity.com/2004/12/15/cyber-security-industry-alliance-kicks-off-sarbanes-oxley- compliance-initiative/]. By 2015, industry alliances had begun to form around pragmatic action to reduce collective vulnerability. The Cyber Threat Alliance41)The Cyber Threat Alliance [https://www.cyberthreatalliance.org/membership/] features many of the brands identified in the ‘most influential’ voices of contemporary cybersecurity, with its primary mission to share threat intelligence between commercial cybersecurity providers. The secretive Cyber Defence Alliance was created in 2015 by five leading international banks and is based in London, near the headquarters of the Metropolitan Police. In the style of NATO, the CDA views “an attack against one bank is an attack against them all”, working closely with the Police to share threat intelligence and combat banking fraud42)‘Banks join forces to crack down on fraudsters’, Financial Times, 9 August 2017 [https://www.ft.com/content/6c9030ca-7937-11e7-90c0-90a9d1bc9691].
Responding to the globally-acknowledged security problem created by the rapid evolution of the IoT, the IoT Cybersecurity Alliance gained momentum in 201743)IoT Cybersecurity Alliance [https://www.iotca.org/] and also features many of the leading names in network systems and mobile device security. Individual sectors that have experienced serious security breaches are developing their own cybersecurity compliance standards, for example in maritime security44)IMO (2016), ‘Interim Guidelines on Maritime Cyber Risk Management’, MSC.1/Circ.1526 1 June 2016 [http://www.imo.org/] and insurance45)‘Ten Key Questions on Cyber Risk and Cyber Risk Insurance’, The Geneva Association, November 2016.
Cyber and global risk
Is this a new problem? Or an old problem in a new context?
In the Autumn of 2016, selected organisations in London’s insurance industry conducted ‘stress tests’, simulated ‘what-if’ scenarios that analysed the possible outcomes for the UK economy of a major natural or man-made disaster. Cyber attack was among the risks considered, both as a single event and as a stress multiplier. The events of summer 2017 vividly demonstrated the cascade effects of a cyber attack on a single network or software that serves global supply chains: the global costs of WannaCry ransomware, which affected at least 100 countries, are estimated at €6.5 billion, while the total cost of the NotPetya attacks of 2017 to Maersk and others is estimated to be at least €480 million. Hypothetical estimates by Lloyd’s of London suggest that a single attack on a cloud service provider could cost the global economy €43 billion.
“We are living with the consequences of a global supply chain that relies on digital.“Twittern WhatsApp
Chernobyl nuclear power plant:
Radiation monitoring systems affected
Business systems of the second-largest drugmaker in the United States affected
Business systems of the Danish transport and energy company compromised; operations stalled at a Mumbai terminal – India’s busiest container port
Business systems of Russian oil producer comrpomised
Ukrenergo and Kyivenergo:
Operations of two Ukraine state-owned power companies affected
Borispol Airport (Kiev) and Ukraine metro system systems compromised
business systems of Ukraine’s state-owned bank affected
supply-chain business systems of American food and drinks giant affected
Client lists and communications compromised at one of the world’s largest advertising agencies, based in London
Communications and computers downed at a leading global law firm
Business systems at a French material construction company affected
Heritage Valley Beaver and Heritage Valley Sewickley hospitals:
business systems compromised at care facilities in Pittsburgh, US.
Bsuiness operations affected at a chocolate factory in Tasmania, Australia (owned by Mondelez)
Operations stalled at Germany’s postal services
Business operations compromised at a Russian steelmaker
List of known organisations affected by NotPetya, June 2017
Renewed calls for an international response placed cyber threat among the top five global risks for 2018, earning cybersecurity headline status at the 2018 World Economic Forum. The phenomenon of cyberspace and the cybersecurity industry can today be viewed as:
- transposing to the digital realm the threats and risks that were always there in the physical, (i.e. corporate espionage, client data protection, organisational adaption to new technology);
- a 21st century manifestation of familiar geopolitical challenges, with consequences for all the familiar features of trade, investment and risk management;
- the defining architecture of doing business in the digital age.
Issues and challenges
Cybersecurity has evolved from the world of information security: it is technology-driven and operationally reliant on standards, policies, best-practice, implementation procedures, information hierarchy and shared knowledge networks. These standards and languages are differently interpreted among discrete industries, geographies and business functions: a CISO in, say, the energy sector may advocate different solutions and frameworks than his peer in healthcare or finance. The emergence of a ‘common operating language’ within the domain that is owned and shaped by the professionals on the ‘front line’ enables rapid understanding of new threats and risks at scale, even if we still lack the technology and social behaviours to eliminate the threat and mitigate the root-cause.
The cyber era transposes into the digital realm the geopolitical challenges, threats and risks that are well-known in the physical world, such as corporate espionage, protection of civil liberties and organisations’ capacity to adapt to new technologies. What differentiates cyber is the scale of adaptation and collaboration required to implement organisational change, at a rate not experienced since the European industrial revolutions of the late 19th century. Effective cybersecurity requires adaptive technologies, people and processes.
Continual digital innovation creates a ‘marketplace’ for threats, but also for solutions. Companies and governments share common enemies in cyberspace, but the scale and pace of the threat is out- smarting the rate at which technology can naturally adapt: across industries, a form of artificial adaptation is needed to rapidly adopt and develop cyber defence. This requirement explains the trend toward outsourcing cyber defence. Even more critically, the threat landscape is evolving faster than the rate at which organisations can adapt their corporate ecosystem. Cybersecurity does not fit into a five-year plan or quarterly budget review: the rate and scale of the evolving threat landscape means that there is no time to defer or wait and see.
Pervasive data services create pervasive vulnerabilities. The vulnerability of the connected economy was exposed in vivid detail by the ransomware attacks of 2017. In energy, telecommunications, financial services and transport, we are living with the consequences of creating a global supply chain that relies on cyberspace. The tools and practice of cybersecurity are the defining architecture of doing business in the digital age.
A1: Companies and indicators
In 2016, Onalytica analysed more than 817,000 tweets, from November 2015 to January 2016 (for keywords “Cyber Security” OR CyberSecurity OR Infosec OR “Information Security”), identifying the top 100 influential brands and individuals in cybersecurity, worldwide. Table A1 lists the leading cybersecurity companies in Europe (data source: Cybersecurity Ventures 500).
|CV 500 Rank||Company Name||Sector||HQ Location|
|4||EY||Cybersecurity Consulting & Advisory||London, UK|
|8||Sophos||Anti-Virus & Malware Protection||Abingdon, UK|
|14||BAE Systems||Cybersecurity Risk Management||Surrey, UK|
|19||DFLabs||Automated Incident and Breach Response||Lombardy, Italy|
|29||BT||Security and Risk Management||London, UK|
|32||PwC||Cybersecurity Consulting||London, UK|
|54||NNT||IT Security and Compliance||St. Albans, UK|
|57||KPMG||Cyber Risk Management||London, UK|
|71||F-Secure||Internet Security for All Devices||Helsinki, Finland|
|85||Avast||Anti-Virus Protection||Prague, Czech Republic|
|87||Darktrace||Cyber Threat Prevention||London, UK|
|89||SentryBay||PC, mobile and IOT security||London, UK|
|105||Gemalto||Digital Identity Management||Meudon Cedex, France|
|123||Airbus Cybersecurity||Cyber Threat Defence||Paris, France|
|128||Digital Shadows||Cyber Intelligence Feeds||East Sussex, UK|
|134||Bitdefender||Anti-Virus and Endpoint Security||Bucharest, Romania|
|136||Thales||Secure IT||Paris, France|
|144||Bwise||IT Governance, Risk and Compliance||Rosmalen, The Netherlands|
|158||Immuniweb||Continuous On-Demand Web Security||Geneva, Switzerland|
|174||NCC Group||Information Assurance Services||Manchester, UK|
|176||Osirium||Privileged User Management||Berkshire, UK|
|191||Clearswift||Data Loss Prevention||Reading, UK|
|194||Brainloop||Secure Document Management||Munich, Germany|
|195||ESET||Multi-Device Endpoint Security||Bratislava, Slovakia|
|198||ENCODE||IT Security and Digital Risk Management||Athens, Greece|
|243||Precise Biometrics AB||Mobile Identity Authentication||Lund, Sweden|
|244||SaltDNA||Enterprise Mobile Security||Belfast, Ireland|
|246||Clavister||Network Security||Ornskoldsvik, Sweden|
|258||Becrypt||Mobile Device and Data Security||London, UK|
|276||Keypasco||Multi-Factor Authentication||Gothenburg, Sweden|
|296||Smoothwall||Unified Threat Management||Leeds, UK|
|300||Masergy||Managed Security Services||London, UK|
|301||Applied Risk||Industrial Cybersecurity||Amsterdam, The Netherlands|
|314||Avecto||Endpoint Security Software||Cheshire, UK|
|315||Panda Security||Anti-Virus and Internet Security||Bilbao, Spain|
|323||PrimeKey Solutions||PKI and Digital Signature||Solna, Sweden|
|330||Biowatch||Wristwatch Vein Authentication||Martigny, Switzerland|
|332||BSI Cybersecurity||Cybersecurity Services||Dublin, Ireland|
|333||Behaviosec||Behavioral Biometrics||Stockholm, Sweden|
|336||ESNC||Security for SAP Applications||Munich, Germany|
|342||Virtual Forge||SAP Application Security||Heidelberg, Germany|
|350||Acunetix||Web Vulnerability Scanner||Kingston Upon Thames, UK|
|354||PortSwigger||Web Application Security Testing||Knutsford, UK|
|359||Nozomi Networks||Industrial Control Security||Mendrisio, Switzerland|
|370||Fingerprint Cards AB||Fingerprint Biometrics||Gothenburg, Sweden|
|377||Prot-On||Encryption and File Security||Madrid, Spain|
|379||INSIDE Secure||Smartphone and Mobile Device Security||Aix-en-Provence, France|
|392||SSH Communications||Privileged Access Control||Helsinki, Finland|
|395||Link11||DDoS Mitigation Solution Provider||Frankfurt, Germany|
|399||Avira||Antivirus and IT Security Software||Munich, Germany|
|400||Silverskin||Penetration Testing and Training||Helsinki, Finland|
|401||Balabit||Privileged Account Security||Senningerberg, Luxembourg|
|403||Nexthink||Anomaly and Behaviour Analytics||Prilly, Switzerland|
|411||DriveLock SE||Endpoint Security Solutions||Munich, Germany|
|413||Eclectic IQ||Threat Intelligence Analysis||Amsterdam, The Netherlands|
|423||Qosmos||Real-Time Data Security||Paris, France|
|426||Silent Circle||Enterprise Privacy Platform||Geneva, Switzerland|
|429||Blueliv||Cyber Threat Analysis||Barcelona, Spain|
|433||QinetiQ||Cyber Consulting and Services||Farnborough, UK|
|454||Spam Titan||Email Security||Galway, Ireland|
|456||Sentryo||Industrial IoT Security||Villeurbanne, France|
|466||neXus||PKI, Access and Identity Management||Hagersten, Sweden|
|467||Swivel Secure||Risk Based Authentication||Wetherby, UK|
|473||Cobalt Labs||Penetration Testing and Bug Bounty||Paris, France|
|477||Rohde and Schwartz Cybersecurity||Encryption and IT Security||Munich, Germany|
|492||Wandera||Secure Mobile Gateway||London, UK|
|495||Kudelski Security||Managed Security Services||Lausanne, Switzerland|
|498||NetFort||Network Security Monitoring||Galway, Ireland|
Are you protected?Me and my team protect you, your business and your data against cyber threats by analysing risks and developing early detection and protection concepts.
References and sources [ + ]
|2.||↑||Bessemer Venture Partners [https://www.bvp.com/strategy/cyber-security/index]; Forbes, ‘Meet The World’s Largest Pure-Play Cybersecurity Companies, 20 April 2016 [https://www.forbes.com/sites/stevemorgan/2016/04/20/meet-the-worlds-largest-pure-play-cybersecurity- companies/]|
|3.||↑||Statistika of ‘Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025 (in billions)’ [https://www.statista.com/statistics/471264/iot-number-of-connected-devices-worldwide/]|
|5.||↑||2017 Internet Security Threat Report, Symantec [https://www.symantec.com/security-center/threat-report]|
|6.||↑||World’s Biggest Data Breaches’, Information is Beautiful, 2 February 2018 [http://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/]|
|7.||↑||Anderson, R. et al (2013), ‘Measuring the cost of cybercrime’, ch. 12, in Bohme, R. (ed., 2013), The Economics of Information Security and Privacy, Springer : Berlin. [DOI: 10.1007/978-3-642-39498-0_12]|
|8.||↑||data from a survey of 3,000 individuals in a cross-section of industries. Hiscox Cyber Readiness Report 2017, Hiscox Global [http://www.hiscox.com/cyber-readiness-report.pdf]|
|9.||↑||CSIS (2018), ‘Economic Impact of Cybercrime’, 21 February 2018 [https://www.csis.org/analysis/economic- impact-cybercrime]|
|10.||↑||Naughton, J. (2016), ‘The evolution of the Internet: from military experiment to General Purpose Technology’, Journal of Cyber Policy, 1:1, 5-2 [http://dx.doi.org/10.1080/23738871.2016.1157619]|
|11.||↑||Ericsson Mobility Report, November 2016 [https://www.ericsson.com/mobility-report]|
|12.||↑||‘Encryption Trojans and malicious emails in name of authorities on the rise’, Semi-Annual Report, 2 November 2017, Swiss Reporting and Analysis Centre for Information Assurance [https://www.melani.admin.ch/melani/en/home/dokumentation/reports/situation-reports/semi-annual-report-2017- 1.html]|
|13.||↑||‘The State of IT Security in Germany 2017’, Federal Office for Information Security [https://www.bsi.bund.de/EN/Publications/SecuritySituation/SecuritySituation_node.html]|
|14.||↑||Gartner (2018), ‘5 Trends in Cybersecurity for 2017 and 2018’ [https://www.gartner.com/smarterwithgartner/5- trends-in-cybersecurity-for-2017-and-2018/]|
|15.||↑||Cybersecurity Ventures (2017), Cybersecurity 500, updated August 2017 [https://cybersecurityventures.com/cybersecurity-500-list]|
|16.||↑||Martin, S. (2016), ‘10 Cybersecurity Twitter Profiles To Watch’, Dark Reading, 7 April 2016 [https://www.darkreading.com/vulnerabilities—threats/10-cybersecurity-twitter-profiles-to-watch/d/d-id/1325031]|
|17.||↑||Onalytica, 6 April 2016 [http://www.onalytica.com/blog/posts/cyber-security-and-infosec-top-100-influencers- and-brands/]; Onalytica, 20 May 2015 [http://www.onalytica.com/blog/posts/cybersecurity-2015-top-100- influencers-and-brands/]|
|18.||↑||RSA Conference [https://www.rsaconference.com/events]|
|19.||↑||‘Ensuring Cybersecurity In Fintech: Key Trends And Solutions’, John Villasenor, Forbes, 25 August 2016 [https://www.forbes.com/sites/johnvillasenor/2016/08/25/ensuring-cybersecurity-in-fintech-key-trends-and- solutions/]; ‘The World’s Top 10 Neo- and Challenger Banks in 2016’, FintechNews, 3 September 2016 [http://fintechnews.ch/fintech/the-worlds-top-10-neo-and-challenger-banks-in-2016/6345/]|
|20.||↑||‘How blockchains are redefining cyber security’, Information Age, 14 December 2015 [http://www.information- age.com/how-blockchains-are-redefining-cyber-security-123460713/]|
|21.||↑||‘Blockchain is the next line of defense for cyber security’, Bitcoin, 19 June 2016 [https://news.bitcoin.com/blockchainn-next-defense-cyber-security/]|
|22.||↑||Cyber attacks raise questions about blockchain security, Financial Times, 12 September 2016 [https://www.ft.com/content/05b5efa4-7382-11e6-bf48-b372cdb1043a]|
|23.||↑||Center for Strategic and International Studies (2018), ‘Significant cyber incidents, 2006 – 2018’ [https://www.csis.org/programs/cybersecurity-and-governance/technology-policy-program/other-projects- cybersecurity]|
|24.||↑||Zetter, K. (2016), ‘Everything we know about Ukraine’s power plant hack’, 20 January 2016, Wired [https://www.wired.com/2016/01/everything-we-know-about-ukraines-power-plant-hack/]|
|25, 28.||↑||BIS (2017), op. cit.|
|27.||↑||Common Vulnerabilties and Exposures database [https://cve.mitre.org/]|
|29.||↑||Verizon (2016), ‘2016 Data Breach Investigations Report’ [http://www.verizonenterprise.com/verizon-insights- lab/dbir/2016/]|
|30.||↑||‘The State of IT Security in Germany 2017’, Federal Office for information Security, June 2017 [https://www.bsi.bund.de/EN/Publications/SecuritySituation/SecuritySituation_node.html]|
|31.||↑||‘Maersk says global IT breakdown caused by cyber attack’, Reuters, 27 June 2017 [https://www.reuters.com/article/us-cyber-attack-maersk-idUSKBN19I1NO]|
|32.||↑||Ponemon Institute / IBM (2016), op.cit.|
|33.||↑||Accenture / Oxford Economics (2017), ‘The Accenture Security Index’ [https://www.accenture.com/gb-en/insight-accenture-security-index]|
|34.||↑||‘Cyber Security: the cost of immaturity’, The Economist, 12 November 2015|
|35.||↑||von Solms, R., van Niekerk, J. (2013), ‘From information security to cyber security’, Computers & Security, 38, 97-102|
|36.||↑||Daultrey, S. (2017), ‘Cyber warfare: a primer’ [https://sdaultrey.net/downloads/Daultrey-S-Cyberwarfare-09- 2017.pdf]|
|37.||↑||LockheedMartin, Cyber Kill Chain [http://www.lockheedmartin.com/us/what-we-do/aerospace- defense/cyber/cyber-kill-chain.html]|
|38.||↑||Carnegie Endowment for International Peace, Cyber Norms Index [http://carnegieendowment.org/publications/interactive/cybernorms]|
|39.||↑||ITU Global Cybersecurity Index 2017 [http://www.itu.int/en/ITUD/Cybersecurity/Pages/GCI-2017.aspx]|
|40.||↑||CISCO Security Activity Bulletin, CSIA, 27 February 2004 [https://tools.cisco.com/security/center/viewAlert.x?alertId=7301]; ‘Cyber Security Industry Alliance Kicks Off Sarbanes-Oxley Compliance Initiative’, HelpNet Security, 15 December 2004 [https://www.helpnetsecurity.com/2004/12/15/cyber-security-industry-alliance-kicks-off-sarbanes-oxley- compliance-initiative/]|
|41.||↑||The Cyber Threat Alliance [https://www.cyberthreatalliance.org/membership/]|
|42.||↑||‘Banks join forces to crack down on fraudsters’, Financial Times, 9 August 2017 [https://www.ft.com/content/6c9030ca-7937-11e7-90c0-90a9d1bc9691]|
|43.||↑||IoT Cybersecurity Alliance [https://www.iotca.org/]|
|44.||↑||IMO (2016), ‘Interim Guidelines on Maritime Cyber Risk Management’, MSC.1/Circ.1526 1 June 2016 [http://www.imo.org/]|
|45.||↑||‘Ten Key Questions on Cyber Risk and Cyber Risk Insurance’, The Geneva Association, November 2016|