Home working: a heaven-sent opportunity for hackers?
What are the biggest risks facing companies in the future? According to a study by Marsh & McLennan (MMC) and FireEye, the greatest threats are neither economic nor climate-related. Their survey of companies revealed that attacks via the internet (cyberattacks/threats) are the biggest risks – and that this has been the case for several years. This makes sense, given that the global cost of cybercrime was estimated at US$ 600 billion in 2018 alone, a 33 per cent increase on 2016. One of the reasons why the cost is growing is that the number of successful attacks is rising. According to a cybersecurity study by the Federal Association for Information Technology, Telecommunications and New Media (BITKOM) last year, 70 per cent of the companies surveyed in Germany said they had been harmed by a digital attack in the period 2018/2019. In 2017, the figure was 43 per Cent.
In a recent incident in North Rhine-Westphalia, fraudsters attempted to exploit the coronavirus crisis by intercepting emergency grants intended to help out small businesses. Using fake websites, they obtained sensitive company data which they then used to divert the aid payments to their own bank accounts.
Other reasons for the increased prevalence of cyberattacks include the rapidly growing number of mobile devices used at home and at work, and the associated rise in the volume of sensitive data and emails sent. MMC and FireEye estimate that the number of internet users is growing at ten times the rate of the global population. These trends create fertile ground for hackers and immense challenges for company managers. Firstly, the security of confidential customer and company data has to be guaranteed, not least to ensure compliance with ever-stricter regulatory requirements governing data protection. But at the same time, employees are tending to work away from the office more and thus using a greater number of digital end devices. The task of company managers is therefore to create a robust framework that provides the best possible protection against cyber risks while also allowing employees to work remotely. Investing in hardware and software is not enough. Workforce training and good governance are equally important for all companies if they are to protect themselves against internet-based attacks.
This analysis in the anGEDACHT series begins by looking at the increased IT risks arising from the growing trend towards remote working. It will then show how cyber risks can be systematically integrated into a model and examine the implications of this for investors.
Figure 1: Number of coronavirus-related cyberattacks is rising
Coronavirus is accelerating the shift in working habits and resulting in increased cyber risk
The trend towards digitalisation of the economy and the ever-increasing use of the internet are not new developments, but the coronavirus pandemic has given a further boost to these change processes. The enforced temporary lockdown of almost all sectors of the economy has brought about a radical restructuring of established work patterns within a very short time. Working from home has become the norm, especially in the service sector. Some estimates suggest that over the past weeks and months, up to 95 per cent of workers have been working somewhere other than their usual workplace. For the majority of them, a space at home has replaced their office desk. And although lockdown was only temporary, it is likely that the effects will last. Particularly at companies whose IT systems have coped well during the crisis, mobile working may continue to be regarded as an attractive alternative in the future. This will result in a significant increase in the number of employees accessing company systems and data from outside the office. The volume of data being transmitted through these systems will similarly rise. It looks as though hackers are already well prepared for these developments. They have been stepping up attempts to exploit the current situation since mid-March, using methods such as newly created websites and phishing emails, as shown in figure 1.
They use these websites to trick employees and internet users. According to a Bloomberg survey carried out in April, up to 8,000 malicious websites were set up within a short space of time using the terms ‘coronavirus’ or ‘COVID-19’ – and the number continues to grow. Cybersecurity specialist Proofpoint estimates that there are at least 300 different malicious online campaigns that are also seeking to profit illegally from the crisis. The digital attacks also include millions of scam emails designed to mislead internet users into disclosing information that can then be used by the scammer for financial gain.
Greater demands on management
Many companies have long been aware of the risks described above and have already implemented measures to protect themselves. According to the aforementioned study by MMC and FireEye, spending on protection against cyber risks was already running at US$ 114 billion in 2018. This is an increase of 10 per cent compared to 2016. As mentioned above, however, losses from successful cyberattacks rose by 33 per cent in the same period. This mismatch makes one thing clear: companies need to step up their efforts and also their budgets if they are not to be left completely behind in the battle against the hackers.
In addition to capital expenditure on IT, good governance and a well-functioning risk management system are key to defending against future cyberattacks. According to experts, the following principles should apply within all companies:
• Responsibility for data protection and security and thus for compliance with applicable national regulatory requirements rests with the company’s most senior Managers.
• Security systems must be regularly reviewed and tested, not only within the company itself but also in outsourced operations.
• Official certification in the areas of IT security and data protection serves as transparent confirmation of the internal processes.
• All employees receive comprehensive and ongoing Training.
Sustainable companies take the threat (more) seriously
As mentioned above, employees play an important role in defending the company against cyberattacks because the majority of these attacks still begin with emails sent to private individuals and company employees. MMC and FireEye estimate that around 90 per cent of successful hacker attacks start with phishing emails. In times of crisis and when more people are working from home, it may be easier for individual employees to (unintentionally) do the wrong thing when they are on their own at home. It is still the case that untrained employees are the weakest link in a company’s defence against hackers.
Companies with a focus on sustainability therefore take the view that well-trained, motivated and satisfied employees are an important asset to their organisations when it comes to fending off cyberattacks. Such employees are a first effective line of defence in the battle against external IT threats. These employees are often better able to identify harmful emails and respond quickly and appropriately if an IT-related incident occurs.
Ongoing training of employees on matters of cybersecurity and data security provides the basis for another important management responsibility: the protection of customer and company data. The data protection regulations are becoming ever stricter in many countries and the potential sanctions for breaches – such as those provided for by the EU General Data Protection Regulation (GDPR) – are also getting tougher. Last year, British Airways and the Marriott hotel chain had to pay huge fines after customer data was compromised in cyberattacks.
Many of the companies whose IT systems were attacked were found to have weaknesses in the areas of human capital and risk management, and this was also reflected in their lower social and governance ratings. Investors can use such ratings as initial indicators of cyber risks and factor them into their investment decisions.
Nor should the reputational damage that can flow from such data leaks be underestimated. In the long term, the resulting loss of confidence among customers and business partners is often more costly than a fine.
Leading ESG companies prepare for these scenarios through measures such as appointing the right people to the management board and supervisory board. In many cases, they have greater IT expertise than their competitors. This makes them more resilient to cyberattacks and means they are less affected by one-off financial hits and reputational damage.
Changing IT infrastructure requirements
The changes to established work processes necessitated by the coronavirus pandemic have prompted many companies to embrace the digital transformation more readily than they might otherwise have done, so that more of their staff can work from home. But this change process only makes sense and can only be successful for a company if it does not lead to increased cyber risks. Figure 2 shows the (changed) IT requirements, before and after the coronavirus crisis.
Figure 2: Working from home increases cyber risk
Before coronavirus, companies were able to protect their staff and themselves through effective firewalls (left side of the chart), but this IT-based approach becomes far less effective when greater numbers of employees work from home. Compared to the pre-pandemic situation, the number of teleworkers has increased exponentially and, as a result, the number of external attacks on the company’s systems has risen (right side of the chart). Simply ensuring the necessary IT stability in the current phase is challenge enough for many companies. To make matters worse, hackers are getting better at disguising their attempts to gain illegal access to corporate data and systems. And it is not always possible for the company’s security systems to detect the attackers, due to the significantly increased volume of external user requests. The current situation is thus increasing the likelihood of a damaging hacker attack.
Figure 2 shows that traditional IT-based approaches are no longer fit for purpose when it comes to protecting employees, systems and data. They need to be adapted to the new behaviours and work practices. For many companies, this means more investment is required, especially in the area of cloud security. The cloud is special IT infrastructure that can be accessed via the internet, for example. It generally provides storage space, processing power and application software that does not have to be installed on the local computer. But the important and versatile uses for cloud computing, which is what makes remote working possible in the first place, also require special protective measures to be put in place. Software providers that offer specialist solutions in this area are therefore important partners for companies.
These providers also represent interesting investment ideas for investors. Specialist cybersecurity providers such as Crowd-Strike, Okta and Zscaler offer innovative security solutions for the protection of IT systems. These include:
• the protection of new IT endpoints (i.e. employees with their mobile devices in their home offices)
• reliable identification of individuals trying to access systems or data
• the secure transfer of valuable data.
In comparison to companies that operate in this forward-looking IT subsegment, suppliers of traditional security software such as NortonLife Lock (formerly Symantec), Trend Micro and Juniper Networks are becoming less attractive as not all their products are able to offer effective protection against cyberattacks in the current situation or in the post-coronavirus age.
In addition to selected providers of security software, other providers of IT services such as Accenture, IBM and Capgemini are benefiting from the changing parameters. Their consultancy services are helping to make IT infrastructure more secure so that companies can allow their employees to work from home while limiting the associated IT risks.
Some sectors more at risk than others
For the capital markets and investors, it is increasingly important to factor potential cyber risks into investment decisions, not least from a risk perspective. This can be done at the level of individual securities or at a higher aggregation level, as it is also possible to draw conclusions regarding IT security for the individual sectors. Working from home can play a role, depending on sector, but does not necessarily have to.
Using a proprietary analysis model, we can produce a cyber risk ranking for eleven sectors. Factor 1 in figure 3 assesses, for each individual sector, the probability of the occurrence of a cyberattack that would lead to severe restrictions on business activity. The sector specialists at Union Investment have factored the following aspects into the qualitative assessment:
• Historical data on cyberattacks in the sector concerned
• The sector’s governance structures
• Data volumes and data protection processes
• The level of digitalisation within the sector
• The individual assessment by the appropriate specialists.
Factor 2 assesses the potential losses that could be incurred as a result of a successful cyberattack. This qualitative assessment is also based on a number of assumptions:
• Data on historical losses arising from an attack through malicious software programs (the average cost of a malware attack is between €3 million and €4 Million). The average time that business operations are impaired as a result of a cyberattack (up to 50 days)
• Possible fines if the company is found to be in breach of data protection provisions
• A fundamental assessment by the sector specialist as to the impact all this could have on revenue, profit and Reputation.
The two factors are combined to produce an ‘exposure’ ranking of each sector, as shown in figure 3.
Figure 3: Sectors have different risk profiles
According to the results produced by this model, the energy (oil and gas companies), financial (banks, insurance companies and financial service providers) and utility sectors are exposed to greater risks of cyberattacks. Investors should therefore factor the possible consequences of cyberattacks into their investment decisions in these market segments. Successful cyberattacks could have the following negative effects on individual sectors in particular:
• Companies in the financial sector are of particular interest to hackers because their large degree of digitalisation and wealth of sensitive customer and company data offer a broad and lucrative target for attack. For the financial companies, whose business is particularly reliant on customer confidence, every successful cyberattack constitutes a major loss of reputation. In addition, customers leaving and withdrawing their money, coupled with the threat of fines, means a big financial hit.
• The profile of utility companies has changed enormously in recent years. The importance of digital processes and data has steadily increased. Intelligent power grids, energy storage devices, digital customer data and the ‘smart home’ trend are making this sector more of a target for cybercriminals. But in addition to hackers’ interest in sensitive customer data – in May, the Technische Werke Ludwigshafen utility company was blackmailed and a ransom of several million euros demanded – companies within this sector are also at risk due to their systemic importance to the national infrastructure (secure supply of electricity, gas and water, and also the protection of power plants). Inadequate safeguards against cyberattacks could therefore have serious negative long-term effects, not only for this sector but also for the entire public infrastructure.
• The pharmaceutical sector also offers hackers a range of targets for a digital attack. Patients’ medical records and personal information from ‘wearables’ such as fitness trackers are potential targets for criminals, but medical technology is also open to potential attack. It sounds like science fiction, but pacemakers, insulin pumps and hearing aids could all become the subject of extortion attempts by cybercriminals. Pharmaceutical and medical technology companies therefore have an obligation to protect not only patient data but also technical equipment from attacks. In principle, any information and data that can be transferred and stored digitally or managed via smartphone apps is also vulnerable to hacker attacks.
One thing all sectors have in common is the need to respond to the increasing risks of internet-based attacks. However, managers in companies in sectors where there is a relatively high risk of cybercrime are under a particular obligation to rise to these challenges. Investors can obtain important information as to which companies and sectors are relatively well placed when it comes to employee satisfaction, training, risk management and data protection – and therefore more resilient to hacker attacks – either by using their own models or by carrying out a sustainability analysis of the social and governance ratings.
The risk of falling victim to a cyberattack has been growing for a number of years. Hackers now increasingly have companies in their cross hairs, as well as private individuals. Their aim may be to illegally obtain customer data, extort money or completely cripple a company’s operations. This is not happening because of coronavirus, but the pandemic has boosted the trend of working from home, which in turn has made companies more vulnerable to attack. The sheer number of mobile, digital end devices and the fact that IT infrastructure has not kept pace with the trend has left many companies facing major challenges and is significantly increasing the probability of them being exposed to a cyberattack in the future.
Sustainably run companies are often better at training employees on how to deal with cyber risks and installing state-of-the-art IT infrastructure and tend to have a more far-sighted approach to risk management. This is true generally, not just in the current crisis. Companies that adopt this three-pronged approach are relatively well protected against external digital attacks. They are also able to minimise potential reputational damage and threats of fines for breaching data protection regulations. Such companies are also able to respond to the changing requirements in connection with working from home – and denying hackers a new heaven-sent opportunity.
From an investor’s perspective, it also makes sense to factor cyber risks into investment decisions. Some companies and sectors seem to be more at risk from hackers than others, partly due to the volume of digital data that they process. An analysis of the social and governance ratings can help to identify the sectors and companies that are particularly well prepared for digitalisation, data protection and working from home. At the same time, those companies whose relatively poor ratings indicate imminent danger of attacks from the internet can be avoided.