While several cyber-attacks have spread across the world in a matter of minutes, there has yet to be a coordinated attack that causes catastrophic-level losses. What if there was one?
Malware poses a systemic threat to all companies that rely on connected devices for management and revenue. An infected email, once opened and forwarded to all contacts, within 24 hours could encrypt all data on nearly 30 million devices worldwide. Companies of all sizes and in all sectors would be forced to pay a ransom to decrypt their data or to replace their infected devices.
That’s a large scale cyber-attack scenario that could cost $85 billion to $193 billion, and affect more than 600,000 businesses worldwide, hitting retail (delivery delays leading to a shortage of products in stock), besides healthcare (‘historically vulnerable to high levels of malware infection’) and manufacturing (because the malware encrypts factory equipment, which halts production). So says a new publication from the Cyber Risk Management (CyRiM) project, a Singapore-based public-private initiative. The 79-page report by the Cambridge Centre for Risk Studies, ‘Bashe attack: Global infection by contagious malware’ is downloadable from the Lloyd’s website. Lloyd’s is one of the founding members of the project.
It’s a fictionalised, hypothetical account of a catastrophic global cyber-attack through malware infection. The authors say it presents an unlikely, and extreme, yet plausible scenario that culminates in catastrophic economic and insurance losses with lasting consequences. As an example of the contagion, ports might be forced to suspend cargo loading and unloading, due to an outage in IT and inventory management systems, until machines were operational and the cargo in ports re-logged.
While Europe has the highest number of infected companies, the United States would have the greatest financial loss, then Europe, then Asia. Estimated global insurance industry loss would be $10.16bn to $27.27bn. The report concludes that the expansion of the cyber insurance market is ‘necessary and inevitable’.
For other threat reports from the Centre visit https://www.jbs.cam.ac.uk/faculty-research/centres/risk/publications/. Its recent Global Risk Index 2019 compiled the impacts of 22 types of threats into a single, annual measurement of economic loss; and found a uniform rise in risk across 279 world cities. The first class of threats were natural catastrophes; then economic, then geopolitical and security.
The Centre is holding its tenth Anniversary Risk Summit on June 20 and 21, in Cambridge at its Judge Business School home.
Comment
Ian Smith, CEO Gospel Technology, says: “The Bashe Report excellently outlines the threat of ransomware attacks, especially in terms of the financial consequences. With the risk of attack ever increasing and with the stakes this high, businesses need to consider how prepared they are for cyber-attacks on this scale.”
Most businesses rely on a traditional approach to data security, centralised trust, managed through security policies that secure data by restricting access, he says. “However, the fact that cyber-attacks are rarely out of the headlines suggest that this approach is not achieving what it is meant to, whilst also negatively impact business transparency. To adequately protect business-critical data from the threat of ransomware, without stifling business agility, we need to take a fresh look at the way trust works in our business processes.
“An approach that takes the burden of trust away from human beings such as distributed ledger offers an elegant solution, where trust can be built into every transaction and access can be verified at every point. Unlike an open permission-based system policed by error-prone humans, in a distributed ledger environment, ransomware would have no effect, as all connected participants are assumed to be untrusted unless otherwise given consent. This approach allows for better data security and improves business transparency and agility though putting trust back into data.”
