listen to this article:
In an interview on 60 minutes on April 11, 2021, the Federal Reserve Chairman Jerome Powell stated cyberattacks as the major risk to our economy today. In answer to a question about the probability that a crash like 2008 will happen again now, Powell answered that the chances of that situation happening is extremely low. However, the world is changing, and now the biggest risk to the economy is due to cyberattacks.
This is not the first time that I have heard this answer. Almost exactly two years ago today, the CEOs of seven of the USA’s largest banks testified before a House Committee. In response to the question, “What do you think the biggest risk to our financial system is today?” from Ohio Republican Rep. Steve Stivers, 5 out of the 7 CEOs answered “cyber-attacks.” In 2016, IBM’s CEO, Ginni Rometty, said that “cyber crime [sic] is the greatest threat to every company in the world.” Although, as I have said, this is not the first time I’ve heard this statement, it is extremely telling that it was said by the Chairman of the Federal Reserve.
Protecting Digital Infrastructure: No Silver Bullet
It is clear to everyone that we are now completely dependent on our digital infrastructure. There is just no other way to do business, and the need to be able to move quickly in order to compete means that systems need to be kept more and more open. This leads us to a dangerous scenario where we are completely dependent on systems that we cannot fully protect.
Unfortunately, cybersecurity is a field with no silver bullet. It is impossible to provide 100% virtual security, much in the same way as it is impossible to provide 100% physical security. In the physical world we therefore rely on tactics like making it too expensive to be worth it, and deterrent in the form of fines and prison. However, these tactics are difficult, if not impossible, to replicate in the digital world. It is much harder to catch an attacker who has digital presence only. Furthermore, attackers are often located in countries far away and out of legal jurisdiction. This means that there is very little deterrent from a legal perspective. In addition, the potentially huge gain from cyberattacks together with their relatively low cost means that it is almost never “too expensive.” The result of making it too expensive for the attacker often means a loss of business, making it not profitable.
Stated differently, risk analysis often leads to the result that the expected loss from attacks is lower than the cost of the loss of business from “overly securing” a system (e.g., by disconnecting it from the Internet). This is exactly the point where cybercrime now becomes a threat to the company itself. It may be true that the expected (average) loss is not too high, but a major attack on a company’s systems can be far from the average and can lead to losses that it cannot recover from.
Cyberattacks come in many forms and are often far more creative than stealing money directly or stealing credit card numbers and selling them. Furthermore, the threat is not just to individual companies, but also to our general economy.
For example, there is very strong evidence that cyberattacks on publicly traded companies increase significantly just before the end of a quarter. The aim of these attackers is simple: if they can access a company’s quarterly reports before they are released, then they will have a significant advantage on the stock market (selling early if performance is poor and buying early if performance is strong). At a large scale, such activity can be hugely profitable. However, this type of attack is also a threat to the global economy. If such activity becomes too prevalent, then investment in the stock market will be too dangerous. The honest players will have a major information disadvantage over the attackers, and so will consistently lose. This is the reason that insider trading is illegal, but as we have described above, the legal deterrent for insider trading is far stronger than for such cyber attackers.
Take Cybersecurity Risks Seriously
So, what can organizations do in these circumstances? We certainly cannot just “give up.” The fact that we cannot 100% secure our systems does not mean that we cannot go a long way in protecting ourselves. Recognizing that there is no silver bullet, the best thing that companies can do is to just take the risk very seriously. I truly believe that this is why Powell chose to raise this point.
When an organization takes cybersecurity seriously, then they have a powerful CISO with a significant team and large budget, business needs are balanced with security ramifications, and the “checklist” approach of “best practices” is replaced with serious security measures. This won’t solve everything, but it’s amazing how impactful such a change in mindset can be. The days of organizations with figurehead security teams so that boards and CEOs can state “we did our best” are over. The threat of cyberattacks has gone far beyond a hit to the organization’s reputation. As a threat to the business itself, everyone needs to adopt a much more serious approach to the issue.
Click the link to learn more about how to protect your finances using better cryptography and up-to-date digital infrastructure tools.