There is no novelty in the negative economic impact that COVID-19 has had on businesses, but the coronavirus has had consequences other than monetary for many organisations.
According to insights from Deloitte’s Cyber Intelligence Centre, COVID-19 has resulted in an increase in phishing and ransomware attacks. This development builds on the general acceleration of cyber threats we have seen during the last couple of years and is best exemplified by the impactful cyber-attacks suffered by major Danish consumer businesses.
According to our survey, the perceived cyber threat has surged during the last two years, while the majority of respondents perceives the threat level to have remained unchanged during COVID-19.
What does the survey show?
72% of the respondents believe that the cyber threat against their organisation has either increased or increased significantly during the last two years. Looking back on the first months of the COVID-19 crisis, 43% of the respondents indicate that corresponding developments in the threat level have occurred. Even though there is a significant difference between these two figures, both figures represent a positive change in Danish consumer businesses’ threat awareness level.
However, there is still room for improvement, which is exemplified by the 24% of the respondents stating that the cyber threat level has remained unchanged during the last two years, and the 54% indicating the same developments during the first months of COVID-19.
The survey also shows that, during the past year, one out of ten respondents has been exposed to a cyber-attack that has affected the economy, operations or/and reputation of their organisation. Further, another 16% have managed to detect such an attack and stop it in time. 70% have not been affected by a cyber-attack of this scale.
According to Deloitte’s cyber experts, building a resilient cyber defence begins with a detailed threat assessment, weighing the likelihood of different threats and embedding prioritised security measures as a result. Altogether, this should form the basis of the strategy and budgeting and help you identify the competences necessary to keep the organisation safe.
The fact that 24% of the respondents do not perceive the threat level to have changed during the last two years, and that 54% have not experienced an increase during COVID-19 either, might indicate that it is necessary to revisit the cyber threat assessment for some Danish consumer businesses.
Having visibility into one’s own organisation as well as having the needed resources available and access to sufficient data is crucial to having a realistic understanding of how the threat landscape looks like and evolves. By not having a realistic understanding of such developments, it becomes almost impossible to mitigate the threats one’s organisation are facing. A mismatch between threats and cyber defence efforts poses a potent security risk.
Finally, 11% of the respondents indicate that they have been hit by a cyber-attack, which has affected their economy, operations and/or reputation during the past year. This is a high number, taking into account that another 16% have detected and stopped an attack of a similar scale, and that a noteworthy number of undetected incidents can be expected. This underlines how significant the cyber threat against Danish consumer businesses has become.
The broader picture
Understanding the threat landscape
An organisation should not only be aware of the general threat landscape and threat level, but also have deep insights into the specific threats that the organisation is facing. This involves assessing which assets need to be further protected and knowing about the potential attackers’ modus operandi. Every organisation should map its most valuable assets i.e. its “crown jewels”, define its commercial prioritisation and investigate what vulnerabilities and threats are associated with the existing systems and technologies.
“Sensing” a cyber-attack
Companies have historically invested in detecting cyber-attacks. Such detection is based on a combination of technology, processes and people. Recent attacks have shown that this does not suffice. For example, NotPetya was able to wipe out half of the affected companies’ assets in less than two hours in one attack. Today it is also important to sense what attack vectors are more important for your organisation, e.g. through threat intelligence, threat assessments and crown jewel identification, and by regularly ensuring that you are cyber resilient and protecting your crown jewels.