In the spotlight: cybersecurity

Those who pay up remain vulnerable

Urs Küderli
Partner, Leader Cybersecurity and Privacy, PwC Switzerland

Johannes Dohren
Director Cybersecurity, PwC Switzerland

Cybercriminality is one of the main risks facing businesses today, all the more so since the pandemic accelerated the process of digitisation and because of the current geopolitical conflict. Many companies still believe they are immune to this threat, but attackers have honed their methods further in recent months. They target anyone and everyone, regardless of sector or size of company. By improving their understanding of risk, cybercriminals and their methods as well as specific contingency measures, companies can manage their cybersecurity and resilience more effectively.

The facts speak volumes

The economic significance of cybersecurity is clearly reflected in the figures: every single one of Switzerland’s CEOs sees cybersecurity as a threat to their company. In 2020, 20,544 cases of cybercrime were reported, 16,395 of which were internet fraud. On average, one Swiss company suffers a ransomware attack every 11 seconds.

The average losses for a medium-sized company in Switzerland are currently 6mCHF. Serious attacks with data theft and encryption can cost between 50mCHF and 150mCHF depending on the sector and size. If IT systems fail completely in such an attack, it usually takes between five and seven days for business operations to be resumed on at least a provisional basis. This is based on the assumption that a procedure has been put in place for how to deal with such a serious incident. As in every other country, the estimated figure for damage in Switzerland is huge. It was predicted that damages totalling 6bnUSD would be inflicted by cybercrime worldwide in 2021, and this amount was expected to increase annually to 10.5bnUSD by 2025.

Until recently, many companies still thought they were not on the radar of attackers because they were too small or had nothing worth stealing. This is a misconception, as is also borne out by the figures. In 2021, around 55,000 Swiss SMEs with between four and 49 employees were affected by a cyberattack, up from 38,000 in 2020. A quarter of the reported attacks resulted in financial losses, while 6% led to reputational damage and 7% involved the loss of customer data.

Varied forms of attack

Today, there is almost no limit to the variety of different ways that attacks can be carried out. As a basic weapon, attackers typically use a malicious program (malware) through which they can perform undesirable and potentially harmful functions. Most commonly, criminals penetrate a company through phishing emails, and encourage the victims to use their malware. Data is initially stolen. A system can also be encrypted through ransomware, which prevents companies from accessing or using data or from accessing the entire computer system, and a ransom is also demanded. Ransomware has been among the most common forms of attack in recent months, and is extremely effective due to the threat of publishing stolen data and destroying systems. Also common are large-scale distributed denial-of-service (DDoS) attacks, which severely slow down or crash platforms and services. In addition to material damage, these attacks are also often used for extortion.

Old and new vulnerabilities

Cybercriminals only have a chance if they can identify a vulnerability which allows them to penetrate a company. The main gateway is undeniably by email, specifically by attacking humans as the point of weakness. Vulnerability to phishing emails has increased with the pandemic and the increased digitisation of businesses due to remote work and working from home. New processes, employees working in isolation from one another and the use of new technologies have created new areas of risk. Existing IT structures can also have weaknesses, for example if outdated systems and applications which have been developed independently are not regularly updated and secured with updates.

Experts in their field

The approach of cybercriminals has fundamentally changed over the last two years. Whereas in the past attackers wanted to steal, sell or misappropriate information and data, today they focus on preventing companies from trading and causing major losses through operational failures or on extorting their victims with threats. Cybercriminals work in a very effective, networked and professional way using high levels of automation. For example, they often know precisely how much ransom money can be demanded through extortion so that victims are likely to pay the ransom instead of close the security loophole. They set the ransom amount just below the expected losses.

Switzerland needs to up its game

Cybersecurity is becoming increasingly important, not just for companies but also for heads of state and government; after all, it’s also about protecting critical infrastructure and a country's reputation as a place to do business. While Switzerland has stepped up its activities in this area, compared with international standards it ranks 42nd out of the 182 nations evaluated. Switzerland’s engagement with cybersecurity is not only worse than that of the top-ranked countries, namely the USA, the UK, Saudi Arabia and Estonia, it also lags behind its neighbours France (9th place), Germany (13th), Italy (20th) and Austria (29th). Efforts are currently being made to tackle cybercrime on a broader scale. The National Cyber Security Centre (NCSC) was established as part of the Federal Council’s attempts to implement its strategy to protect Switzerland from cyber risks.

Please report attacks

Neither the Swiss Data Protection Act (FADP) nor the EU General Data Protection Regulation (GDPR) currently contains a general legal obligation to report cyberattacks. Nevertheless, reporting is already required in certain industries, such as by the Financial Market Supervisory Authority (FINMA) in the world of finance or Medicrime MKA in the medical sector.

Prosecuting cybercrime is difficult in Switzerland, as perpetrators are hard to catch since they are generally located in countries with no clear legislation or ambiguous jurisdiction. For an offence to be prosecuted under Swiss law, damage must be demonstrable, which is not always the case and can be difficult to calculate. The estimated figure for losses could be reduced further through more consistent reporting. However, that is not enough. If a reporting obligation is prescribed by law, questions still remain. For example, who should or must report, and where? What happens with this information? Will it be distributed? Will an early warning and information exchange system be put in place? It is important for reporting to actually result in action. Only then will companies learn from one another and be able to prepare for attacks more effectively.

Act now before it’s too late

Swiss companies simply cannot afford to ignore the risk of cybersecurity. Many active crisis plans have the aim of making systems and data accessible again as quickly as possible, with a focus on restoring availability. However, this is not particularly useful if the whole system is affected. Most companies have some catching up to do, especially with regards to resilience against current attacks. 

Companies should never consider paying a ransom, because the vulnerabilities will still remain and attackers have already infiltrated the infrastructure. Only the cybercriminals themselves know for sure how much the confidentiality and integrity of the data retrieved has been truly compromised. The cost of cleaning up the IT environment and improving protection and security must also be paid in addition to the ransom. Below are five recommended actions that those with responsibility for making decisions should take:

1. Classify risks and their consequences for the company

The first step is to define the main business risks. In a manufacturing company for example, this would be an outage at a production plant. In a law firm, it could be stolen client data or mandates becoming inaccessible. In defining the main risks, companies should determine dependencies, risks and failure scenarios and weight them appropriately.

2. Understanding attacks and methods

Second, it is important to understand how attackers operate and to identify company-specific vulnerabilities and critical issues, as well as how attackers could potentially exploit them. For example, a DDoS attack on the stock exchange which causes trades to lag by half a second could result in significant losses. Conversely, a well-prepared manufacturing company can cope in the event of a production outage lasting one or two days by repairing a leak, for example, instead of giving in to extortion.

3. Make a crisis plan in case of cyberattack

Companies should prepare a detailed crisis plan, from the beginning of a hack by a Trojan email and its spread throughout the IT system to when a critical scenario sets in. Along the entire chain of events, it must be clear who decides what functionalities are prioritised and which technical and organisational measures are necessary. For this purpose, companies should specifically consider ‘What if…?’ scenarios.

4. Be protected and anticipate threats

When used together, protection and prevention form the basis for security and the ability to detect attacks and respond accordingly. Resilience is primarily built by knowing how to react in an emergency. This includes keeping IT systems, cybersecurity procedures and staff up to date and conducting regular practise exercises.

5. Targeted communication

Communication is important in all areas, from employee awareness to what to do before, during and after a crisis. However, this step should determine who information should be shared with in the event of an attack, as well as how and when.

Conclusion

The frequency and number of cyberattacks has skyrocketed, regardless of industry or the size of a company. Today, attacks are carried out professionally and using a high level of automation. A small company will generally be confronted with the same attackers and methods of attack as a major corporation. Swiss companies are not doing enough to keep abreast of developments in cybercrime. Many still don't see themselves as potential targets or haven’t understood the possible extent of damage. Victims of extortion are often willing to pay ransom money, because if they are not prepared, repairing the damage would be many times more expensive and take far too long.

Paying up should not be considered an option. This leaves a company vulnerable to further attacks, and supports criminal organisations which may be willing to use terrorism. The answer is to be prepared. Managers must therefore use scenarios to determine the business risks posed by cyberattacks as well as gaps in their IT systems, and develop customised plans to counter these risks. This process can take time, and should therefore start as soon as possible. It’s only a matter of time before lawsuits are filed for neglect of supervisory responsibilities – or until the next attack.

Contact us

Urs Küderli

Urs Küderli

Partner and Leader Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 42 21

Johannes Dohren

Johannes Dohren

Partner, Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 22 20