Experts say that there are currently two types of companies: those that have already suffered a cyber-attack, and those that will suffer one soon. The impact will depend on their ability to prevent and respond.
Do you have a company? Congratulations on the daily effort it takes to run it. Now, let's play a game. Imagine for a moment what a bad day would be like. I don't mean a tough day. Let's think about a really tough one: an important customer cancels a contract, a key employee announces he's leaving for a competitor, or a machine failure stops production for hours. Tough, right? Now, multiply that bad day by 100 and try to imagine the following: your company is the victim of a massive cyber-attack. Systems are paralysed, the supply chain comes to a halt, your customers' confidential data is compromised, the media starts publishing negative headlines about your company and your consumers lose confidence in your ability to protect their information and report their discomfort on social media. In addition, if your company is listed, be prepared to watch, in slow motion, as the stock plummets down the mountain. To make up the perfect storm, your legal department presents you with a preliminary report and informs you that they face millions in penalties if it is confirmed that they did not have the necessary data protection measures in place. And everything points to this being the case. On a scale of one to ten, how worried are you about that scenario? I hope very much.
This is the kind of disaster a cyber-attack can unleash, one that affects the entire structure of your company and demonstrates the devastating power of this silent enemy. It is not science fiction. It is an all too real scenario. Until a few years ago, the traditional risks faced by businesses rarely affected all of their core economic, reputational and human assets simultaneously. Now, a single digital security incident can expose their weaknesses in a comprehensive and ripple effect that impacts multiple critical areas simultaneously.
Experts say that there are currently two types of companies: those that have already suffered a cyber-attack, and those that will suffer one soon. The impact will depend on their ability to prevent and respond. In a hyper-connected world where one in five crimes is now committed online, one of the most insidious risks is the lack of cyber security.
The scale of damage caused by a cyber-attack can be devastating. A company's cyber security is only as strong as its weakest link, and often that link is the employee. In 2023, the cost of cybercrime worldwide accounted for nearly 1.5 % of global Gross Domestic Product, surpassing even arms trafficking, human trafficking and drug trafficking. And it has only just begun. Experts predict that by 2025 cybercrime will cost $10.5 billion annually. But what do the bad guys look like? Cybercriminals are becoming increasingly sophisticated. They often operate in organised groups that function like criminal enterprises, with clearly defined roles and structures.
In addition, they use advanced tools and social engineering techniques to exploit human and technological weaknesses, and use AI to refine their attacks, taking them to unprecedented levels of complexity and effectiveness. One of the most disturbing uses of AI is in the creation of deepfakes y deep voicetechniques that allow extremely realistic video and audio spoofing. These can be used to impersonate trusted individuals within an organisation, such as executives, by tricking employees into performing harmful actions, such as bank transfers or disclosing confidential information.
In addition, cybercriminals have been pushing their own boundaries for years. Healthcare facilities used to be a red line that many criminal organisations were reluctant to cross. In the last year, however, attacks on hospitals have risen sharply.
Despite advanced security technologies, the human factor remains the most common gateway for cyber attacks. Cybercriminals exploit the lack of training and naivety of some employees through social engineering tactics such as phishing. These attacks involve tricking employees into revealing confidential information or clicking on malicious links, thus opening the doors of corporate systems to attackers.
One of the most popular cyber-attacks faced by companies is Ransomware. This type of malicious software encrypts and hijacks all company data and demands a ransom to release it, usually in cryptocurrencies. Many companies end up paying, but the vast majority never recover the information. That's the devil's bargain. Another classic is the denial-of-service attack, which overloads the company's servers with massive traffic, causing service interruptions and consequent economic and reputational damage.
But let's move on to something that has made many CEOs start to value the role of their Chief Information Security Officers and include cyber security in their crisis communication management plans. In addition to reputational damage, companies also face severe financial penalties for failing to protect their customers' data. The EU's General Data Protection Regulation imposes fines of up to €20 million. You'd lose sleep over that too, wouldn't you?
That is why cyber security should be a strategic priority for all companies, regardless of their size. They should also include cyber risks among the most challenging scenarios in their crisis communication management and invest in advanced security technologies, train their employees on best practices and keep up to date with the latest threats. Cyber-attacks represent the biggest threat to a company's operations and reputation. Ignoring this silent enemy is a recipe for disaster. It is time to realise that digital security is not just a technical necessity, but a business responsibility critical to your success and survival.
Luis Barreda Gago is the director of Proa Comunicación and an expert in cybersecurity from the UNED.