Almost two-thirds of information security professionals believe that cyberwarfare is a threat to their organisation as nation-state-backed cyberattacks become more common and larger in scale – and the concerns are even higher for chief information security officers, with almost three-quarters considering cyberwar a threat to their organisations.
But there’s still a significant proportion who don’t believe that cyberwarfare is a threat to their businesses and over a quarter of companies don’t have any strategy for how to protect themselves from cyberattacks launched using tools developed by nation states.
The attitudes of thousands of information security professionals have been detailed in Bitdefender’s global 10 in 10 Study, which set out what the security industry thinks about the challenges that businesses are facing – and a significant number of professionals believe cyberwarfare represents an imminent threat.
“Dependency on technology is at an all-time high and if someone were to take out the internet connection at home or at the office, no one would be able to get anything done. And with that in mind, that’s why CIOs believe cyberwarfare is a threat to their organisations,” said Liviu Arsene, global cybersecurity researcher at Bitdefender.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
Security professionals polled in the research said the consequences of falling victim to an attack launched as part of a cyberwarfare campaign that worried them ranged from loss of information or loss of reputation, to business interruptions, fines and job losses.
And in the majority of cases, it’s likely that the organisations that fall victim to cyberattacks conduced by nation states might not even be the intended targets at all.
For example, the NotPetya cyberattack shut down networks around the world after doing billions of dollars of damage in an attack that was mostly likely launched by the Russian military intelligence and that spiralled out of control. The intended target was in Ukraine, but the interconnected nature of the web meant that the malware caused damage far beyond what was intended.
“Cyberwarfare is interesting because unlike kinetic weaponry — which is used in traditional warfare — it hasn’t become more precise. It’s actually become harder to put boundaries around and to control,” said Dr Jessica Barker, socio-technical lead at Cygenta and chair of ClubCISO.
“Something that is born of a nation-state attack can then morph and be used in other kinds of attacks. I think that’s a lot of the reason why organisations and professionals now understand that they can be caught up in cyberwarfare in many different layers, for many different reasons,” she added.
But while many organisations understand the potential risks posed by being caught in the crossfire of a cyberwarfare campaign, some executives don’t see it as a problem or don’t have a plan on how to deal with it.
“The reason that a quarter of security professionals don’t really have a strategy to protect against cyberwarfare is likely to do with complacency. They’ve never had to deal with an attack or seen one at wide-scale, so haven’t invested the time in protecting against it,” said Arsene.
“They probably think they’re too small to be targeted or they haven’t had an incident they’ve had to recover from,” he added.
SEE: Cybersecurity: This is how much top hackers are earning from bug bounties
However, incidents like NotPetya, the WannaCry ransomware and others have demonstrated that organisations of all sizes can find themselves the unwitting victim of a nation-stated-developed cyber operation.
In many cases, even nation-state-backed cyberattacks look to take advantage of known vulnerabilities, so ensuring that patches and security updates are applied as soon as possible can go a long way to protecting against attacks.
It’s also recommended that organisations keep a firm grip on the threat landscape, so they’re aware of the potential threats and attacks they could be facing – and are prepared for them if they do become real.
MORE ON CYBERSECURITY