Jeremy Jurgens, managing director of the WEF and head of its Centre for Cybersecurity, explains how the world can tackle cybercrime during and post-pandemic.
Cybercrime is one of the greatest threats to businesses and individuals, with cybersecurity becoming increasingly at risk since the start of the Covid-19 pandemic.
Jim Banks speaks to Jeremy Jurgens, managing director of the World Economic Forum and head of its Centre for Cybersecurity, to find out how the world can respond.
With the rise of the Industry 4.0 and The Fourth Industrial Revolution, as well as the unprecedented technological change that comes with it, global business has colossal opportunities in its hands.
AI is allowing labour-intensive tasks to be performed with unprecedented speed and efficiency, and the connectivity that enables the Internet of Things (IoT) has allowed data gathering on customers and provides previously unimaginable levels of insight into their behaviour.
Yet, as the world becomes increasingly reliant on digital technologies, the threats it faces are becoming virtual as well as physical. In other words, crime is moving online. According to data from the World Economic Forum (WEF), attacks on IoT devices rose by 300% in 2019.
Europol, the European Union’s law enforcement agency, has warned business to be alert to the rise in cyberattacks during 2020, and the US Federal Bureau of Investigation (FBI) reported that during 2019, online confidence fraud costs US citizens more than $475m in losses.
In late 2020, the WEF’s Future Series: Cybercrime 2025, a joint programme of work with the University of Oxford, found that unless drastic action is taken now, by 2025 next-generation technology could potentially overwhelm the defences of the global security community.
“We started working on cybersecurity in 2012, before the concept of Industry 4.0 had emerged,” explains Jeremy Jurgens, managing director of the WEF, who also oversees its Centre for Cybersecurity. “Back then, the risk was poorly understood by most actors in business and government.”
“Now,” continues Jurgens, “the risk is moving faster than policy frameworks can, so we wanted to address the systemic nature of the risk through an impartial global platform, which the WEF is well-placed to provide. Most initiatives are national or industry-focused, but we can bridge the gap between cybersecurity experts and policymakers.”
The pandemic piles on the pressure
It is no longer possible to rely on the fragmented approach to cybersecurity that has emerged over recent years, in which companies and states organise their own response to digital threats. With so much at stake in a world where our work, our wealth and our identity increasingly exist online, a much more proactive strategy is needed to keep up with cybercriminals. That’s especially true over last year, with the spread of Covid-19.
A problem, of course, is that working from home is often less secure than when you’re safely behind the firewall at an office. Without the security of enterprise networks or virtual private networks (VPNs), people at home are more at risk from criminal individuals and institutions. According to the FBI, for instance, the onset of the pandemic brought a 300% increase in reported cybercrime.
Leading cyber risk consultancy Kroll observed that in the first nine months of 2020, ransomware was the commonly reported attack, accounting for more than one-third of all its incident response cases.
Moreover, these attacks, according to Deloitte’s Cyber Intelligence Centre, are frequently using Covid-19 as the bait to lure corporate employees and private customers into handing over sensitive data or downloading malicious software.
“From the conversations I have had in the past year, my impression is that people are less focused on cybersecurity now than they were previously, as they are too focused on the pandemic,” Jurgens explains. “Cybercriminals have taken advantage of that.”
This vulnerability is placing a growing burden on companies, governments and individuals. Whether it’s concern over the pandemic, vaccination programmes or any other issues on the minds of businesses and their employees, malicious actors will take advantage of the potential opportunity.
“The awareness of risk always lags behind,” observes Jurgens. “Similarly, policy always lags behind what the technology experts can do. This is true in many areas of technological and scientific progress, and cybersecurity is one of them. Technology is moving faster than businesses and policymakers can adapt. At the WEF, we are doing our best to address that.”
The WEF’s analysis of the industry shows that collective global spending on cybersecurity has now reached $145bn a year, and is predicted to exceed $1trn in the period 2017–21. Furthermore, the WEF projects growth in collective global cybersecurity spending by 2030 is set to be $433bn per annum.
Dollars alone, however, will not solve the cybersecurity problem. What matters most is how that money is spent. To deliver effective results, those dollars must be invested in people and processes – as well as technology.
A call for cooperation
The WEF cannot advise on technology investments. That is not its mandate nor its field of expertise. What it can do, though, is bring together the right decision makers and technical experts to ensure that the billions spent on cybersecurity are directed at the real threats and yield the proper safeguards.
“Complexity is increasing, interdependency is increasing, policy is increasingly fragmented and there is a large cyber skills gap,” Jurgens says. “Within a company, the chief information officer (CIO) or chief data security officer (CDSO) might not even have access to the boardroom,” he adds.
“We can bring people together, which is very important. We can connect cybersecurity experts with decision-makers and business executives to discuss their shared challenges.”
One key strand of its work is the partnership against cybercrime, which aims to drive momentum for a public-private partnership to combat cybercrime. To that end, it has created a dedicated community of leading law enforcement agencies, international organisations, cybersecurity companies, service and platform providers, global corporations, and leading not-for-profit alliances.
Among them are the likes of Amazon, Cisco, Credit Suisse and Dell – as well as government organisations, including the European Commission, the FBI and Interpol.
The aim of the partnership is to support the establishment of a global network of hubs for operational public-private cooperation, the idea being that it’d serve as the platform for interactions and the sharing of insight on a global and strategic level. One of its goals for 2021, for example, is the development of a shared threat-mapping process to help identify new opportunities for cooperation.
“It is always about people in every domain,” Jurgens argues. “Building awareness is very important and cybersecurity must be recognised as a leadership issue. The WEF provides a playbook for cybersecurity and it focuses, in part, on education for employees on phishing attacks.”
One individual falling for a phishing attack could, for instance, reveal log-in details that would allow cybercriminals to use their identity to get behind the enterprise firewall. One click on a seemingly innocuous link in an email containing malware could install malicious code on enterprise systems, potentially stealing or encrypting sensitive data.
“In our efforts, we are finding that countries and institutions recognise the need to work together,” says Jurgens. “We are working with all major countries to create a space where they can talk about the areas on which they can cooperate.
When it comes to cybersecurity, it benefits all parties, whether states or businesses, to collaborate.” Jurgens accepts that cybercrime is not a problem that can ever be totally resolved. He recognises that it is an on-going battle that requires constant vigilance, co-operation and foresight.
“It will be a challenge for a very long time,” Jurgens emphasises. “We can always make it harder for criminals. We can implement things to make it more expensive and less attractive. We can encourage better cybersecurity hygiene, we can focus on better pursuit of criminals for their actions, and we can make cybercrime less profitable. It is not about winning the war once and for all, but we can protect businesses, institutions and countries against the worst downsides.”