According to Vito Corleone, “A lawyer with his briefcase can steal more than a hundred men with guns.” That was 1972. One can only wonder what he would make of today’s cyber thieves.
The recent Lloyd’s 2013 Risk Index makes it likely that Don Corleone would be right in the middle of the action. To quote the introduction to this third biennial edition, “The findings are based on a global survey of 588 C-suite and board level executives conducted by Ipsos MORI for Lloyd’s during April and May 2013.” The report summarizes priority and preparedness within each respondent company for a number of business risks.
Strikingly, cyber risk has risen from #20 in the original 2009 risk index, to #12 in the 2011 report, to #3 in the current report. If this were the Billboard Hot 100, cyber risk would have a bullet. The only corporate risks given higher priority than cyber risk are high taxation and loss of customers. Respondents view cyber risk as more pressing than inflation, cost of credit, excessive regulation, and far more pressing than risks such as fraud, protectionism, or strikes.
The Lloyds study appeared in the same week that The Economist cover story was “The Curious Case of the Fall in Crime”. As an example, The Economist reported that during 2012 there were only 69 armed robberies of banks, building societies and post offices in all England and Wales. That amounts to one armed robbery every 5 days, over a population of 56 million.
From this evidence it seems there are fewer criminals, and those that remain have gone online. Rob a bank? That’s so last millennium. Maybe the dearth of traditional criminals is another victim of aging Baby Boomers. Or is it a predictable outcome of a generation raised on technology? Regardless, the new criminal is savvy: Why risk injury or death when you can steal millions from your balcony overlooking the Neva River?
Infrastructure? We Got This
Oddly, in the Lloyd’s survey, critical infrastructure failure comes in at #22 on the executives’ priority list, essentially unchanged from 2011. Yes, #22 – behind failed investment, reputational risk, and internal oversight failure. Even worse, the C-suiters rate their preparedness for infrastructure failure much higher than they rate its priority. In other words, “It’s no big deal; we got this covered.”
Cyber security for utility infrastructure remains weak. As this blog has often repeated, control systems security has yet to solve some key problems. Yet in a 2010 presentation, Scott Borg, CEO of the U.S. Cyber Consequences Unit, pointed out that 72% of the U.S. gross domestic product (GDP) is directly dependent upon electric power. Surely three-fourths of the GDP should rate higher than #22 on our hit list?
I could be an optimist here and be thrilled to see cyber risk at #3 priority. Or I could be a pessimist and despair to see critical infrastructure failure at #22. But instead I’ll take Door Number Three: realist. Cyber security is a critical element of critical infrastructure protection, so raising the profile of cyber risk is likely raise the profile of infrastructure cyber security over the long run as well.
One huge question remains: How long is too long?