Cyber attacks are the greatest threat facing advanced economies. So reported a 2018 survey of over 12,000 businesses, though in truth it is but one recent survey of many. The risk that cyber attacks pose is a fact that becomes less questioned with every retelling. But why is it so?
There is an easy answer to this question. Since the first electronic message was sent over the medium (rather longer ago than many people realise – on 29 October 1969), the importance of the internet has grown inexorably to the point that it touches upon almost every aspect of modern society. Seemingly overnight, the internet has attained such importance that any significant interference with its smooth operation risks catastrophe.
But, as with any issue as pervasive as this, there are many facets to the question. Where, for instance, lies the real risk? In the larger-scale attacks that overwhelmingly incapacitate and immobilise? Or in the combined volume of smaller attacks, which individually cause little damage, but collectively chip away at the fabric of our economy?
A recent survey, commissioned by Business in the Community, suggests that it is the latter that poses the far greater risk. Not only had a full quarter of the SMEs surveyed implemented no protections against cyber attacks, but 40% responded that they had taken no steps to update their cyber security strategies in the last 12 months. These findings seriously call into question the effectiveness of the protections in place in smaller business. Small wonder that the vast majority of cyber attacks are perpetrated against SMEs. Criminals, like any entrepreneur, tend towards the easiest markets.
However, another argument takes the opposite view, and suggests that it is not this more mundane brand of small-scale cyber criminality that is driving businesses to identify cyber attacks as the greatest threat facing advanced economies. Although it is not a fact acknowledged by the traditional heist movie, SMEs were the easiest market for enterprising criminals long before the advance of the internet into society. And in return, SMEs always have, and still do, rely upon herd protection against this threat. Where that herd protection proves insufficient for society as a whole, SMEs evolve to rebalance the risk, whether through better individual (i.e. cyber security) or collective (i.e. policing) protections.
Why then must it be the large-scale cyber attacks that form the foundation of the perceived risk? Perhaps unsurprisingly, the answer lies in the differences that the internet has introduced into modern society. The information revolution has massively reduced barriers to interaction. The electronic automation that allows you to shop on a different continent at 3 am is the same automation that now allows an orchestrated, large-scale cyber attack to far outlive the confines of its original purpose. The geographic incidence of the NotPetya attack in 2017, for instance, has led a number of experts to suggest that it was created by, or at least with the sanction of, the Russian government, who intended to use it in its conflict against Ukraine. And yet, the nature of the virus meant that it quickly exceeded these bounds, causing significant damage to businesses and industries worldwide.
Clearly, herd protection provides no protection against a large-scale cyber attack: it is a contagious infection rather than targeted predation. Proximity, the key to herd protection, only enables the attack rather than protecting against it. How, therefore, can businesses protect themselves against the risk of these sorts of large-scale cyber attacks?
Clearly, the most obvious answer is cyber security. Commentary on the recent Business in the Community survey has focused on the proportion of SMEs not implementing or updating cyber security measures. However, commentators tend not to report on the significant efforts that most businesses, particularly large enterprises, have expended on improving their cyber security. ‘Company updates cyber security measures, which appear to be working’ simply does not make good copy.
The less obvious answer is insurance. It has been possible to insure against the risks that cyber presents since the late 1990s. For many years, few companies purchased policies, whether because at that stage cyber security did not pose (or had not yet been recognised to pose) a significant risk or because the policies on offer contained significant exclusions. However, the cyber security insurance market has both matured and grown significantly since that point. Indeed, for SMEs, the cyber security insurance market has been the fastest growing market in recent years.
However, like the threat it seeks to mitigate, the cyber security insurance market remains embryonic. Insurance companies have made and continue to make strenuous efforts to understand the cyber security risk, but it is new and ever changing. Logically, this fact should undermine the effectiveness of cyber security insurance as a potential solution for companies. And indeed, recent activity bears out this deduction.
DLA Piper has recently initiated proceedings against its insurer, Hiscox, over its refusal to pay out on DLA Piper’s claim arising out of the Petya ransomware attack. It was widely reported at the time that DLA Piper’s servers and computers had been heavily infected by the virus, wiping out emails and telephones for 3,600 lawyers in 40 countries for two days. The blackout meant that lawyers at the law behemoth could not access documents and had to postpone work.
The dispute underlines the difficulty that businesses face in trying to control their exposure to cyber attacks. The cyber threat itself is hardly new. Robert Morris accidentally released the first ‘denial of service’ worm in 1988, which is widely regarded as the first ‘cyber attack’ – though the fact he did so inadvertently does somewhat undermine the description. However, with the introduction of the internet of things, and the increased connectivity that this brings, the cost of the risk rises inordinately. It is the novelty of that change which means that the cyber battleground, both between criminals and businesses, and between businesses and insurers, will be a disorienting place for some time to come.