Light Dark
August 15, 2018 By Christophe Veltsos 4 min read
Risk Management
Data Protection

The demands of cybersecurity and cyber resilience are expanding at a clipping pace as attackers adapt to new defenses. To help navigate the shifting terrain, Marsh & McLennan released its “MMC Cyber Handbook 2018: Perspectives on the Next Wave of Cyber,” which presents a global perspective on cyberthreats.

According to the report, we have reached an inflection point regarding our global ability to address cybersecurity risks for three main reasons:

  1. Cyberattacks, malware and business disruptions are growing more and more sophisticated, which made 2017 a banner year for security incidents.

  2. We are increasingly dependent on technology and connected devices, which has raised the profile of cybersecurity and resilience in most organizations — not to mention security budgets.

  3. Governments, regulators, law enforcement and auditors are just beginning to effectively coordinate cyber risk strategies and share intelligence about the evolving and increasingly interconnected nature of the threat landscape.

Key Takeaways From the Report

The “MMC Cyber Handbook” is not your typical security report. It juxtaposes security statistics with short articles on topics such as the General Data Protection Regulation (GDPR), the many high-profile ransomware (such as WannaCry and NotPetya) and distributed denial-of-service (DDoS) attacks (such as the Mirai botnet) that befell organizations in 2017, and the need for improved cybersecurity across regions, sectors and even departments.

A few statistics stand out for their relevance to everyday internet users:

  • The average number of identities exposed per breach reached 927,000 in 2016, compared to 466,000 in 2015 and 805,000 in 2014. 2016 was also the first year to see 15 breaches with more than 10 million identities exposed — up from 13 in 2015 and 11 in 2014.

  • The number of ransomware families hit 101 in 2016, more than three times the number of families observed in each of 2014 and 2015. In 2016, the average ransomware amount was over $1,000, about three times as much as the previous year.

  • In 2016, the average number of cloud apps used per organization reached a staggering 928 apps, up from 841 the year before.

  • The energy, healthcare and retail sectors saw the highest numbers of cyberattacks in the past year, with reported attacks from 26, 25 and 25 percent of companies, respectively. Manufacturing came in fourth with 22 percent. Organizations in the power and utilities sector also found themselves in attackers’ sights, with 14 percent reporting cyberattacks.

  • In terms of managing, responding to and recovering from a cyber incident, only 19 percent of respondents said they were highly confident, 62 percent said they felt fairly confident and 14 percent said they were not at all confident. Meanwhile, 6 percent reported that they didn’t know.

Why Experts Are Forecasting a Cyber Hurricane

In case anyone still doubted the increasingly systemic nature of cyber risks, the report noted that conditions have evolved beyond data breach fatigue into what U.S. military officials dubbed “a potential ‘Cyber Pearl Harbor'” and one report author described as “early versions of cyber hurricanes.” This digital perfect storm is due to our increased dependence on technology, combined with the high number of vulnerabilities and continuing growth and specialization of the cybercrime market.

As the high-profile incidents of 2017 and 2018 have shown, a cyber incident can quickly spread beyond its initial vector of entry and wreak havoc with both IT and operational technology, seriously impacting an organization’s business activity. The report noted that this is especially concerning for manufacturing and logistics organizations, which are particularly susceptible to cyber risks due to the nature of their businesses — with little slack, lots of outsourced parts and dependence on just-in-time inventories.

How the Financial Sector Is Leading by Example

While the financial sector is often a leader in terms of improving cybersecurity, the report noted that the margin for error is getting smaller due to recent regulatory changes, including those from the New York Department of Financial Services (NYDFS) and the Office of the Comptroller of the Currency (OCC), as well as the 2017 updates to both the Federal Financial Institutions Examination Council (FFIEC)’s “Information Security Handbook” and its Cybersecurity Assessment Tool.

In its spring 2018 “Semiannual Risk Perspective” report, the OCC urged the banking sector to be aware of the evolving nature of cyberthreats and warned of bad actors that seek to exploit personnel, processes and technology.

“Failure to maintain proper cybersecurity controls can lead to material negative effects on banks, consumers, and national and economic security,” the report noted. The authors went on to advise banks to “have a well-established and tested response plan in case a cyber incident occurs.”

The OCC clearly stated its intention to pay close attention to cybersecurity and resilience in its “Fiscal Year 2018 Bank Supervision Operating Plan,” noting that examiners would “review banks’ programs to determine to what extent they assess the evolving cyber threat environment and banks’ cyber resilience.” Coupled with GDPR and similar regulatory guidelines, the Cyber Handbook’s advice regarding broader coordination will come in handy to help security professionals consolidate data protection policies across sectors.

How Can Companies Across All Sectors Improve Cyber Resilience?

In the handbook’s mini-article, “Limiting Cyberattacks With a System Wide Safe Mode,” author Claus Herbolzheimer advised organizations to consider moving toward decentralized cybersecurity architectures that can automatically disconnect from an infected system or network to prevent further attacks or disruptions. The goal of such a mechanism is to reduce harm without completely shutting down and maintain a minimum level of healthy activity that can be sustained without further damage or compromise.

All in all, the “MMC Cyber Handbook” covers a lot of new ground, especially in terms of its global perspective on the evolving threat landscape. The bottom line is that as attackers grow increasingly sophisticated and their tactics more advanced, defenders will need to innovate and share intelligence on a global scale and across industries to keep their systems, data and personnel safe.

Never miss a new episode of the Security Intelligence podcast! Subscribe now on Soundcloud

 |  |  |  |  |  |  |  |  |  | 
Christophe Veltsos
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

More from Risk Management
April 11, 2024

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

April 3, 2024

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

March 28, 2024

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature