The cybersecurity tsunami – opportunities and threats facing us in a 24/7 connected world
Cybersecurity incidents are now a common feature in today's global and local headlines.
Ransomware gangs made at least $350 million in ransom payments in 2020, a 311% increase since 2019 (Source: Chainalysis February 2021). The figure was compiled by tracking transactions to blockchain addresses linked to ransomware attacks.
According to the World Economic Forum's 2021 Global Risks Report, "cybersecurity is one of the key threats of the next decade" alongside the COVID-19 pandemic, climate change, and debt crises.
Credit Information of 24 million South Africans and 800,000 businesses leaked in a massive Experian data breach in 2020. (Source: South African Banking Risk Information Centre August 2020)
Who is responsible for addressing the many cybersecurity risks we face when using cyberspace? Is it the government? Private companies? Or the average person, whether at work or at home? My answer is all of the above – let me explain using a model I call the 3D cyber risk profile.
Each one of us typically lives a) in a country, b) either works for an organisation (or is a member of one in their personal capacity, i.e. a spiritual or educational institution) and finally c) belongs to a family unit.
Figure 1: 3D cybersecurity risk profile that each individual needs to manage
In each of the above three scenarios, we all contribute to creating and sharing different information types across many devices and platforms. Examples of the information may be financial, personal or even metadata (data about the data). Certain information types may be publicly shared (i.e. public post on social media or open website) whilst other types are incredibly sensitive and restricted (i.e. personal medical records).
We also live in a world where 24/7 availability, high functionality and convenience is expected, resulting in a plethora of new services and applications. New tech start-ups are increasingly disrupting and sometimes beating the larger traditional giants in just about every sector. The recent COVID-19 pandemic has further accelerated the already fast-paced tech tsunami that has swept the globe. This tsunami has created significant opportunities for both individuals and organisations to offer innovative services and solutions to a globally connected customer base. Many people have become millionaires after developing a new app or investing in early tech start-ups or cryptocurrencies. How many of you wished you had bought $100 worth of Bitcoins back in 2010 when they cost just $0.08 apiece. You would have been able to buy 1,250 coins. With today’s valuation of over $52,000 per coin, your $100 investment would now be worth over $65 million.
On the topic of coins, every coin has two sides and where technology has been a positive influence it has also unfortunately become a catalyst for abuse. It has empowered a variety of threat agents that can cause harm to a country, organisation or an individual. The table below summarises the key threat agents and the tactics that they may employ.
Table 1: Threat agents and tactics
Linking back to our 3D cyber risk profile, does this now mean that every country, organisation or individual is at risk from every one of the above threat agent types? Whilst in theory this is possible the likelihood depends on several factors such as:
a)which country you live in (political, economic and even religious status play an important role)
b)which organisation/s you are involved in (the industry, information value and financial wellbeing)
c)how valuable (political, financial or social standing) your personal or family assets are to the relevant threat agent.
The motivations behind each of the threat agent types will further determine the likelihood of an attack.
Risk management uses a simple calculation: Risk = Likelihood (probability of the risk occurring) x Impact (the harm caused should this risk materialise). Likelihood and Impact of different risk types are usually given values of between 1 and 5 resulting in a risk map heat grid. An example of a 5 x 5 grid can be seen below to help determine which risks should be prioritised:
Therefore, it is up to each of us to consider how we manage risk in both the physical and digital realms that we co-exist in.
- Governments need to consider the threats that are of national importance to protect its sovereignty and maintain law and order. They would also need to work with the private sector to ensure critical infrastructure assets are protected.
- Organisations need to ensure the confidentiality, integrity and availability of critical business processes and the underlying people and technology assets, systems, hardware and infrastructure are managed to support business objectives.
- People need to consider their roles as a citizen of the country as well as their democratic rights to privacy and safety. They need to be vigilant when at work to ensure their actions do not jeopardise the organisation in any way. Finally they have a role to play in protecting their personal assets (identity, finances, reputation) and family members, especially children, from a growing range of cyber threats.
Becoming cyber-savvy sounds like a tall order – but when one considers just how dependant we are on technology and the impact a major incident can have on our country, organisation or personal life – it is something we all should consider. Instead of fearing the cybersecurity tsunami that is upon us, let us become cyber surfers and safely harness its power to improve the quality of life for all humankind.
Craig Rosewarne is the Managing Director of Wolfpack Information Risk (Pty) Ltd. For more information on Wolfpack's Advisory, Awareness or Training services, please email firstname.lastname@example.org or visit their website https://wolfpackrisk.com/