Cybersecurity : ready to invest ?
The recent worldwide cyberattacks have shown that all businesses, from SMEs to large industrial groups, are now concerned by cybersecurity. Securing your assets upstream is a much less expensive process than repairing damage from an attack.
By 2020, 907 billion dollars will be invested annually worldwide by companies for their digital transformation (1). What will be the budget share allocated to cybersecurity? Are leaders ready to invest? What are the first steps when implementing a cybersecurity strategy? Cybelius will try to answer to these questions in this article.
Cyber risks: more numerous, more critical
Examples of industrial hackings are rarer than banking data theft. But the consequences are potentially critical and the risks even greater. Industrialists, often exposed because very interconnected with their subcontractors or their equipment manufacturers, are slow to acquire a good cyber hygiene.
Last spring, we had a glimpse of the chain effect during the massive WannaCry and NotPetya attacks. NotPetya, which started from a Ukrainian accounting software, showed that companies’ processes and infrastructures from all sectors, located around the world, could be affected very quickly.
Russian, American and French companies, including the SNCF, Auchan and Saint-Gobain (the latter figures its losses at 220 million euros) have incurred the costs. In Britain, several hospitals have been targeted. Piracy has forced the medical antennas to cancel appointments and to redirect some patients to other services. Automated measuring and warning systems for radiation detectors at the Chernobyl nuclear power plant were also targeted. The attack downed the plant’s monitoring systems, requiring field intervention to control the radioactivity of the site. These examples suggest that there may be an impact on the life or physical safety of people as well as the environment. What is feared are so-called cyberphysical attacks, with wounded or dead.
Moreover, in 2014, a German steel mill was largely immersed in forced inactivity, causing heavy material damage. In 2015, the Prykarpattyaoblenergo power grid in Ukraine was hacked via the BlackEnergy malware, 250.000 households were deprived of electricity. At the end of December 2016, Industroyer, also known as CrashOverride, hit a Ukrainian power substation that had been out of control for at least an hour. Kiev power grids ceased to operate, leading to a power outage in the capital that lasted several hours just before Christmas.
The financial impact is also real. Renault, for example, was forced to shut down some of its production plants. These interruptions generate heavy losses. Moreover, the consequences of confidential industrial data’s theft are often dramatic for companies that are victims: risks of loss of manufacturing secrets, counterfeiting, industrial espionage etc.
Freight ports at a standstill, factories immobilized, and businesses slowed down … Several months after this wave of unprecedented attacks, infected companies have for the most part established a first financial balance sheet. And the latter is very heavy: if they are adversely affected, their losses amount to more than 1 billion euros (1.073), according to an underestimated billing – made by Le Monde. Ransomware damage costs are expected to exceed $ 5 billion in 2017, up sharply from $ 325 million in 2015. Ransomware attacks against healthcare organizations, the most heavily attacked sector, are expected to quadruple by 2020.
In this risk environment, manufacturers realize that their infrastructures are potential targets and must now allocate the necessary resources to protect their systems.
Large industries have integrated security into their thinking and most have launched outreach plans for all their staff. In addition, new regulations and media coverage of recent cyberattacks are raising awareness in the senior management and encouraging companies to invest more in cybersecurity.
Petya achieved what the experts were struggling to do: propel the cybersecurity issues on the board and raise the consciences. Between website blockages, delivery delays and production shutdowns, attacks cost between $ 100 million and $ 300 million per affected business. Figures that speak immediately to the top management. Cyber-attacks can cost a significant part of a company’s turnover. However, information security expenditures are not enough compared to the threat severity. In France, they are around 4% while they are 12% in Korea or Israel.
Regulations push companies to equip
New risks, new practices. Aware of the isues, the French government, pioneers in terms of regulations and standards, set up a new military planning law which enforce more or less 200 critical infrastructures (OIV-private companies, national security structures) to beef up their cybersecurity. This law provides 20 measures of governance, risk management, IS control, incident management and system protections.
Among her numerous missions, ANSSI (French National Security Agency of Information Systems) tries to sensitize the actors of the industrial world, the end-users, the integrators, equipment manufacturers or the consulting firms, to the reality of cybersecurity and to the vital necessity to treat this subject. Currently, pharmaceutical companies, water operators, telecoms, banks will have to increase their expenses to cope with the new cybersecurity regulations.
Moreover, this awareness concerns any type of company. The larger structures are slow to invest because the higher the risk is, the more they’ll have to invest to protect their assets. For SMEs – the two-thirds attacks’ target – are affected by a much less elitist cybercrime but no less harmful. More fragile, they could have to close down.
Cyber insurance market expected to grow
Global cyber insurers are emerging as unexpected beneficiaries amid a scramble for cover from future incidents. The recent WannaCry ransomware attack highlighted the risks to businesses around the globe. A typical cyber insurance policy can protect companies against extortion like ransomware attacks. It could cover the investigation costs and also pay the ransom.
Allianz France has just announced the launch of a cyber risk guarantee offer, tailored for SMEs: “Cyber Risque Extension”. In a statement, the insurer explains that this offer covers the consequences of attacks on the company’s computer data. SMEs thus benefit from the coverage of most of their needs: covering the cost of restoring computer data and notifications to their customers, as well as covering their civil liability. However, we know that this new type of insurance, which mainly concerns IT, will soon involve industrial systems.
Security has a cost but readiness is priceless!
The cyber expenses
Any director today should ask himself what level of security his company needs, how to measure the cost-protection ratio and how to maximize the ROI in cybersecurity.
So far, cybersecurity spending has undergone a mixed evolution and remains a minor component of the company’s IT budget (24% worldwide, 29% in France) compared to the evolution of the incidents’ rythm. It is now a priority for business competitiveness.
Analysts estimate that 5 to 10% of a company’s budget should be spent on cybersecurity. The latter certainly has a cost but it is little compared to the price to pay when one is a cyber attack’s victim. Global cyber security spending will exceed $ 1 trillion in 2021. The rise of cybercrime has pushed information systems security to more than $ 86.4 billion in spending in 2017, according to research firm Gartner.
What is needed is to avoid the costs of a cyber attack while exploiting the benefits of good security. Directors rely on cybersecurity solutions to protect their systems and production lines, as well as their customers and partners data. By making the right investments, they protect their business, maintain customer trust, and manage security costs and resources wisely.
For executives who are aware of the threats that surround them, one of the most difficult decisions to make is to determine exactly how much money must be invested to secure their business. To do so, the first step is to measure the risks and establish a budget arbitration related to the criticality of the risk. CIOs must perform a risk analysis to identify vulnerabilities. From the results of this analysis, managers are able to assess the risks of an incident or failure on their sensitive networks. The company then deploys the budget and the relevant measures on the systems so that only the acceptable risks remain. Specifically on industrial systems, the analyzes must take into account cybersecurity, operational safety as well as all the criteria related to industrial risks to be effective because unlike the office automation IS, cybersecurity is not a silo apart.
The days of demanding 100% cyber security are gone. Business leaders need to expect and anticipate cyber breaches, and plan for how to minimize reputational, financial, and operational impact. Being resilient is the ability to Identify and protect, respond and recover from disruptions and changing conditions.
Safety by design
Organizations need to have a comprehensive cybersecurity policy that adopts best practices such as security by design and multilayered in-depth defense. It is essential to design new industrial systems by taking into account the cybersecurity standards (IES 62443) and best practices. A global approach is necessary because cybercriminals are extremely dynamic and creative, and can bypass any unique and static measure implemented. Cyber criminals should not be underestimated, especially because they have the time, the money and the initiative.
Attacks on industrial systems are growing, diversifying and can have serious consequences for the production equipment, the production itself, and in some cases for the staff and the public. In this environment of human, financial and material risks, manufacturers understand that their infrastructures are potential targets.
Today, more and more directors say they have increased their cyber spending. However, many companies still consider cybersecurity as a barrier to change or as a cost center. To remain competitive and protect their assets, they must now commit financially to take into account and integrate security solutions from the beginning of their digital transformation.
Before investing, you must first evaluate the costs and risk analysis is the best solution. On one hand, it is necessary to have a vision on your company’s security level and on the other hand to know how to allocate the budgets to secure your industrial systems vulnerabilities.
Cybelius has established a method that enables you to quickly identify both cyber risks and operational safety. Based on a simple and rigorous functional analysis, it federates safety and security approaches. It enables the quick identification of technical and organisational measures to fight against industrial system vulnerabilities. This pragmatic method is very successful among industrialists who want to quickly identify the most critical points of their infrastructures. Find more information about APERO on our website here.
(1) According to a new PwC study