A lot has happened in the 12 months since the World Economic Forum’s (WEF) previous “Global Risks Report.” Russia invaded Ukraine. The consequential impact on the supply of food and energy has led to a cost-of-living crisis being experienced by many. Extreme weather events have become a reality for more and more people. This rapid change is the backdrop to the report.
The 2023 report highlights that there is no single dominating crisis that the world is facing and there are, and will continue to be, constant crises that organizations, governments, and countries must navigate. Attacks on critical national infrastructure (CNI), widespread cybercrime, and cyber insecurity are highlighted as major risks throughout the next 10 years in the WEF’s “Global Risks Report 2023,” published on Jan. 11.
In terms of current crises identified in the WEF report — those emerging or present today — cyberattacks on critical infrastructure is the only technological risk appearing on the chart. CNI attacks are much sought after by malicious threats, as they can result in high-profile trust failures, potential pay dirt for ransomware, and could even lead to civil unrest.
The report comments: “Alongside a rise in cybercrime, attempts to disrupt critical technology-enabled resources and services will become more common, with attacks anticipated against agriculture and water, financial systems, public security, transport, energy and domestic, space-based and undersea communication infrastructure.”
Examples of such attacks today include the UK’s Royal Mail, currently dealing with a “cyber incident” that has resulted in the organization asking people to stop sending mail and parcels abroad. The outage of the NOTAM (Notice to Air Missions) system that grounded flights in the US on Jan. 11 is being investigated as a potential “nefarious cyber incident,” although this is just one aspect of an investigation into the outage ordered by President Biden. Attacks on healthcare institutions, water supplies, fuel pipelines, and more all serve to remind what the “C” in CNI is there for — if something is defined as critical, it needs strong cybersecurity protection and resilience to keep people and societies safe and operational, as it will always be a target for cyberattack.
There is much to read in the 98-page WEF report. Although there are seven risks appearing in both the two- and 10-year outlooks ahead of widespread cybercrime and cyber insecurity, this is the leading technological risk, at No. 8 in both these outlooks.
There is actually little reference to cybercrime specifically in the report beyond the definition of “widespread cybercrime and cyber insecurity,” which is described as “Increasingly sophisticated cyberespionage or cybercrimes. Includes, but is not limited to: loss of privacy, data fraud or theft, and cyber espionage.”
Cybercrime is an everyday reality today. As just one example, ransomware continues to be a scourge on society and organizations, but the potential opportunities and yields are so great that it is here to stay. Phishing, crashing websites, and identity theft are just some further examples of cybercrime that are set to continue. Omdia’s security breaches tracker has consistently shown that data exposure is the leading outcome of security breaches, accounting for around two-thirds of breaches in the first half of 2022.
This approximate two-thirds number has been consistent since 2019. The tracker also analyses the share of breaches by industry or vertical and healthcare was the biggest sector to be affected by security breaches in the first half of 2022, followed by the government sector. The healthcare and governmental sectors have interchanged “top spot” over the same three-year period as for data exposure. It’s fair to say that data is poorly protected today and that government and healthcare are huge targets for data because of the sort of information they hold.
Cyber insecurity is useful terminology when we know that many organizations do not have adequate cybersecurity capabilities. Omdia’s “IT Enterprise Insights 2022-23” found that 27% of organizations describe themselves as “well advanced” in managing security, identity, and privacy, and a further 34% as “advanced,” this does leave 39% of organizations with a substantially inadequate approach.