Internet security blog posts are usually more at home on the inside pages of IT trade periodicals than on the front pages of international newspapers. Yet the one written by Microsoft’s Vice=President Tom Burt was a notable exception.
It wasn’t long before the phones of helpdesks worldwide started to ring and IT managers’ social media feeds lit up. It revealed that a new threat had emerged targeting Microsoft Exchange Server software. This time, hackers had attempted to penetrate much deeper into the computer systems of their intended victims to lurk undetected for longs period of time. It may have compromised as many as 20,000 organisations.
Large-scale attacks of this kind are becoming more common and their impact is increasingly visible to investors. They are also more quantifiable.
Longer road to recovery
To illustrate what is at stake here, one 2019 study examined the average revenue growth of companies affected by severe security breaches in the two years after they had occurred. Then it compared those results to industry peers not affected by cybercrime. (The research covered some 432 companies over a six-year period and assessed 460 unique events.)
It found that in the two years after a severe security breach, corporate revenues first declined by about 10 per cent on average and then recovered slowly. After two years, revenues had only managed to recover to the same level they were at when the breach happened. By contrast, the revenues of companies that did not suffer a security breach increased by almost 20 percent over the same period.
The impact of a major breach is not just reflected in earnings, but also in the share price. Indeed, corporations that have suffered a severe security breach could see their share drop by 10 per cent or more over six months and remain depressed.
With such potentially enduring consequences, it is no surprise companies are stepping up efforts to protect their data. That task has become so much more difficult over the last year as the pandemic has forced millions to work from home. This has increased the vulnerability of corporate data - especially from phishing attacks directed at employees.
Indeed, these attacks have become so widespread that many analysts are comparing the pandemic with an emerging cyber pandemic of sorts — with us work-from home humans playing the role of trojans.
A recent report from the CFA Institute Research Foundation reveals the risks faced by corporations by the growing number of cyber threats that are emerging from both nation-states as well as criminal groups.
Author Joachim Klement warns that investors need to assess their potential exposure to such attacks, which are already costing the average bank – with banks being the preferred targets of cybercrime – some $18.4 million-a-year, based on 2018 data. Model estimates for the global banking system range from $97 billion to $351 billion per year in potential losses — easily capable of triggering a financial crisis of global scale.
While the recent Microsoft attack attracted global attention, it was the eighth time in 12 months that the company had publicly revealed an attack by so-called nation-state groups targeting critical institutions — from health organisations fighting COVID-19, to political campaigns involved in the 2020 elections.
Within this unfolding global narrative, the Gulf states represent another complex and intriguing sub-plot, where geopolitical fault lines converge and where nation-state hackers have already had an impact in a region that is home to more than a third of the world’s oil.
Klement points out in his excellent analysis that after the 2019 drone attacks on Saudi Aramco facilities in Abqaiq, the US response was channelled through a cyberattack on Iranian infrastructure rather than any kind of show of military force.
Worth the spend
Such attacks have encouraged a major push at the state level to bolster cyber defences. Saudi Arabia has launched the largest digital operations centre of its kind equipped with a cybersecurity hub to identify emerging threats.
Other Gulf states are engaged in similar efforts to shore up the weak points in their figurative firewalls. The financial industry must now take a similar approach in investing to protect itself from emerging threats, which as the latest Microsoft hack highlights, are becoming more and more damaging.
Inevitably there is a cost to this, and many corporations will flinch at the required outlay of capital at a time when there is a desperate need to conserve cash. But in order to prevent business disruption, information loss and revenue loss, this investment is absolutely necessary.
In this, the former US State Department official Richard Clarke may have some prescient insight: “If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”