Corporates should expect more cyberattacks from nation states leveraging AI technology to craft smarter scams, automate attacks, and find security gaps. Bad actors from North Korea, Russia and China are already familiar foes. But the democratisation of new, easy-to-use technology like GenAI means more nation states will deploy cyberattacks as well as criminal enterprises that seek to profit from cybercrime.
“Between 25-40 nation states currently leverage cyber as part of their national security operation. We expect to see this triple or quadruple, making cybercrime more complex and more sophisticated,” warns Sean Joyce, PwC’s Global & US Leader on Cybersecurity, Privacy and Regulatory Risk, in conversation with Treasury Today.
The latest GenAI tools have a very low barrier for entry, Joyce continues. It means “everyone” can access the technology so that alongside nation states, criminal enterprises that seek to profit from cybercrime are also able to ratchet up attacks.
“These tools are available for everyone, and very ineffective guardrails exist right now,” he says, noting that “naming and shaming” doesn’t put the criminals off. One of the only ways they are held accountable is if they travel outside their country – which they rarely do. “The consequences haven’t been at a level that has changed behaviour,” he says.
Joyce estimates that between 40-60% of corporates pay ransomware because they can’t sustain the financial loss from the business interruption: they are not able to recover quickly enough and get back to normal operations.
Worryingly, even when companies do pay up, they don’t always achieve a full recovery. “When they get the keys to their data back, the data doesn’t necessarily unlock cleanly because it has been corrupted. It’s not as simple as people think,” he says.
The speed of a company’s ability to recover is directly linked to knowledge around key services within the organisation. Or, to put another way, how the company makes money. “It is about understanding what those critical dependencies are, and having the ability to trace them back to the software and hardware that support these key services so you can recover quickly,” he says
Corporate boards play a central role in navigating cyber risk. A good board should be across the risk exposure and the company’s risk appetite. “If a breach happens, what is the recovery time and how does the board think about that? Has the board observed a cyber security exercise, and what is the culture around cyber risk? Who owns it?” he asks.
Executive managers are key stakeholders and should lean in as part of the solution and initiate training, he continues. Yet all too often, his conversation with boards begins with requests to know how they compare to industry peers. “This is not the best question because every company is unique,” he says.
In another worrying trend, Joyce says the treasury function is not always involved in cyber risk as a primary stakeholder. “Too many times the finance function is not considered as a major stakeholder and is not as involved in some of the training that should be happening.”
This could include omitting looking at the social media presence of key members in the finance team (a rich hunting ground for bad actors) or gaps in training following staff rotation, for example.
Companies are successfully using AI to combat risk. But hands on people skills – and key people in the right function like confirming disbursement of funds and being suspicious of deep fakes – are also crucial.
Joyce also urges more collaboration. No company operates in a vacuum. Large banks might be able to withstand a breach, but a SME is still part of the ecosystem and represents the weakest link. It is visible in supply chain attacks at smaller companies that are crucial links in the software supply chain, for example.
Organisations like the UK’s Cyber Security Centre support collaboration in the private sector, and between the public and private sector. But in other jurisdictions companies are reluctant to share threat intelligence because of legal issues.
“Collaboration is nowhere close to where we need to be,” he says. “We have no international norms or regulations established that we can leverage. We are still operating in a 20th Century mindset when it comes to understanding cyber risk yet in the 21st Century, digital information moves at machine speed and the threat changes very quickly.”
