In January 2021 the World Economic Forum published the Global Risks Report, its annually depressing read of things that can and might go wrong with the world.
Among the highest likelihood risks of the next ten years were digital power concentration, digital inequality and cybersecurity failure. It is worth remembering that back in 2006 the same report warned that ‘lethal flu, its spread facilitated by global travel patterns and uncontained by insufficient warning mechanisms, would present an acute threat’. So the report is definitely one worth taking seriously.
Research from McKinsey has shown that the Covid-19 crisis accelerated digitalisation in ways nobody could have ever predicted. Consumers have headed online in their droves and companies have responded rapidly. Video has replaced coffee-shop meetings and conferences and cloud accounting solutions have seen a boost. McKinsey found that companies moved 40 times faster than they thought possible before the pandemic to implement remote working solutions.
The cybersecurity implications are eye-watering to consider, but cannot be ignored – particularly in light of recent cyberattacks, including one that shut the largest US gas pipeline and jeopardised supplies to major US cities. There is also risk from software bug-related internet outages, like the one from infrastructure provider Fastly that knocked out many of the world’s biggest websites. Incidents like this serve to highlight how increasingly vulnerable we are as digitisation increases. Research from SEO agency Reboot suggests that the Fastly outage could have lost Amazon as much as USD 32million in sales.
The first is phishing – attempts to obtain sensitive information or data, such as usernames, passwords, credit card numbers or other sensitive details by appearing to be a trustworthy entity in a digital communication. Secondly, there is ransomware – a type of malware that employs encryption to hold a company or individual’s information to ransom. And thirdly, business email compromise (BEC) is a cyberattack involving the hacking, spoofing, or impersonation of a business email address.
“Ransomware and business email compromise have been increasing over the past few years,” says Norman. “So far this year we are getting four times as many reports from our US customers experiencing significant attacks, and across many industries. The dollar amount of ransom is creeping up too, making it difficult for some businesses to recover control and resume normal operations.”
There are multiple risks contributing to the rise in incidents. The advent of ransomware as a ‘service platform’ makes it easy for unskilled bad actors (those with criminal intent) to seek a high return on investment by renting ransomware platforms to target vulnerable companies. “The fact that ransom is being paid emboldens the threat actors to execute more ransomware campaigns,” says Norman. Colonial Pipeline paid USD 4.2million in ransom after significant disruption and concerns for public safety.
The number and severity of software vulnerabilities is also growing. The challenge is to patch known vulnerabilities, as ransomware platforms are not overly sophisticated. Much of the ransomware relies on poor security hygiene – unpatched vulnerabilities, misconfiguration of software, insecure network protocols, not closing unnecessary networking ports, insecure coding practices, or users failing to recognise phishing attempts.
More recently, Norman Comstock says he has seen small banks, law practices, healthcare and manufacturing clients hit with BEC. “Our forensic review revealed that their Microsoft 365 mail had been compromised primarily because multifactor authentication was not configured or inadvertently disabled. Customers using Microsoft 365 mail should review their configuration and turn on multi-factor authentication to reduce BEC risk.”
Data and system backups are also worthy of close attention. “Whether backups are done on premises or to the cloud, all companies should verify that their backups are periodically tested to ensure recovery. This will minimise costly exposure and perhaps the need to pay a ransom,” he says. To make matters worse, none of these risks is diminishing. In fact, reports suggest that hackers are getting smarter.
While many accounting firms, consulting firms, and IT vendors offer some aspect of triage to identify security risk, small and mid-sized businesses often do not have dedicated security teams. This means they rely on products and third parties to help identify risks and implement protective technologies.
“What is generally missing or ineffective in this approach,” says Norman, “is the personnel, technology and process to detect unexpected network, account, or system activity.” And naturally, the slower the detection the slower the response. But, he adds, “The response should involve investigation, confirmation, communications and corrective actions to disrupt hacking activities. This is critical, as protective controls are fallible and detective controls may be underresourced, leading to undetected and unresolved hacking activity and longer and costlier recovery.”
According to Dr Anuraag Guglaani, management consulting partner at UHY James Chartered Accountants, Dubai, United Arab Emirates, who leads the firm’s strategy, transformation, automation and cybersecurity services, “A combination of poor governance through incomplete information security policies, coupled with non- security conscious users who make errors,” are the main reasons for cybersecurity breaches. He says businesses are seeing wide-ranging threats including data theft, financial loss after ransomware attacks, system disruptions that cripple businesses, and reputational risk after news of an attack spreads to the public.
In Italy, UHY Audinet Srl partner, Andrea d’Amico, is establishing a wider IT auditing service alongside developing the firm’s own cybersecurity safeguards. “We know that IT security, cybersecurity, IT governance and IT auditing are becoming critical lines of service for our clients,” says Andrea, citing fast-growing technological developments and increasing operational dependency on technology. “We already perform IT audits supporting the internal audit, and offer compliance and risk management, as well as supporting financial statement audits.”
Cybersecurity expertise is increasingly available to UHY clients thanks to centres of excellence such as these in the US, UAE and Italy, as well as UHY’s global proactive knowledge sharing infrastructure. This means clients anywhere in the world can benefit from the latest advice, tools and implementations, including the US National Institute of Standards and Technology (NIST) Cybersecurity Framework, a voluntary framework of standards, guidelines and best practice in managing cybersecurity risk in five key stages – identify, protect, detect, respond and recover.
Read more client stories in UHY International's Global Magazine Issue 12.