Digitalisation has made our society much more efficient and, in many ways, made our everyday life easier. But is security keeping up at the same pace so that we can trust that our digital services are safe and sustainable?
Digitalisation outruns security
Digitalisation is a natural development that has been going on since we started using computers. In recent decades, digitalisation has progressed at a high speed and more and more of society is dependent on digital services. What we notice is that the security work is unfortunately not keeping up, which results in a very low level of security in our digitalised systems and processes.
Below is a simple image to illustrate the fact that security is not prioritised as highly as digitalisation.
According to this image, at least one of the curves must change direction. Either the security curve can increase, or the pace of digitalisation must decrease – which feels like a less likely scenario. If none of the curves changes their slope, the gap between security and digitalisation will increase even more and, in this gap, there will be greater and greater losses and costs for companies, society and private individuals.
Security work must keep up with a digitalised society
As we rely more and more on digital systems, we must simultaneously learn how to build resilience and robustness into these systems. This is to be able to deliver stable and sometimes socially essential services over time. Digitalisation enables a very efficient way to deliver services of various kinds, but at the same time makes us dependent on a very high level of availability of the systems. In addition, if we have no alternative way of delivering the services, an interruption has major consequences for customers or citizens. If an interruption has major consequences, you need to have a high level of security and alternative working methods as well as methods to deliver your services.
A current example where security has not caught up with digitalisation
An example of an organisation that has experienced problems with digitalisation overriding security is A-kassorna in Sweden. After an IT attack, the organisation chose to shut down A-kassorna’s systems as a precaution to minimise consequences and further damage to the systems, which meant that members could not access their A-kassa. The systems for unemployment benefit payments were also affected and could not be opened for several days. It is obvious in this example that there was a lack of alternatives to the digital systems that were affected.
It is difficult to avoid all cyberattacks, but in this case it is clear that the organisation was not prepared for this type of scenario. Here, security was lacking as all systems were shut down to prevent further damage, which could have been remedied with appropriate security measures that separated the systems and their networks from each other. As many people depend on unemployment benefits, it is important that security is increased to meet the digitalisation of the systems to be better prepared for this type of attack next time.
Businesses important to society have digitalised very quickly, perhaps too quickly, as security is demonstrably not at the same level and order of priority.
What can the cost of a cyberattack be?
The cyber threat is increasing in the world and more and more attacks are occurring. In a study by Check Point Software Technologies, it appears that EMEA (Europe, Middle East, Africa) has an average number of attacks per organisation of 777, an increase of 36%. In Sweden, ransomware attacks have increased by 108% during the first quarter of 2022, according to Check Point Software Technologies. As a result of increased malware, the cost of cyberattacks has absolutely exploded. In 2021, the cost was 6.9 trillion dollars, and Cybersecurity Ventures expects that the global cost of cybercrime will end up at 10.5 trillion dollars in 2025. This cost includes, among other things, restoring systems, but also lost revenue.
Adequate cybersecurity can protect you from ransomware, data leakage, data manipulation and so on. There are plenty of examples over the past years where companies have been hit by attacks that have resulted in large costs. An attack can be very expensive, for example you can lose money due to:
- Downtime affecting your business
- Lost revenue
- System recovery and cleanup
- Lost trust/goodwill
Quantifying cyber risk
Even if security is not seen as a priority for many, but something that is often postponed, it is an investment that will ultimately be cheaper than the alternative cost of an attack often is. One way to justify this is to work with Cyber Risk Quantification (CRQ), which means that you prioritise risks according to their potential for financial loss, thus allowing responsible people in a company to create budgets based on mitigation strategies that afford the best protection and return on investment.
In a CRQ, you look at the economic impact of cyber risk on your business, but also on more intangible yet fundamental areas like customer satisfaction, employee engagement, reputation management, brand protection or supply chain management. All these are risks that will cost you money in the end.
The risk cost is the probability of a certain consequence times the cost that consequence has. So, for a consequence that would cost the company or organisation 1 MSEK and has a probability of once every ten years, the risk cost is 100 000 SEK/year. The protection for this particular risk should then not be more than that amount.
Read more about how you can protect yourself against cyberattacks!
Do not hesitate to contact us if you need help strengthening your cybersecurity!