Author: Johnty Mongan
The more connected our technology infrastructures become, the harder it will be to mitigate systemic cyber risks. We only have to look at the 2008 financial crisis or the COVID-19 pandemic to understand how quickly the landscape can change when so many elements of society are intertwined.
Translate this type of risk into today’s cyber world, and the ease with which catastrophes can cascade is truly alarming. Just one system failure or cyber-attack could be all it takes to wreak havoc on multiple entities in seconds — including your business. As organisations consolidate their IT infrastructure for convenience, their vulnerability to systemic attacks increases exponentially.
The genesis of systemic risk
My personal interest in systemic risk was piqued when a former colleague of mine left their cybersecurity business to venture into bug bounty programmes (where websites, software developers, and organisations offer financial rewards to individuals who find and report bugs, especially those relating to cybersecurity). This highlighted the lucrative nature of identifying vulnerabilities in technology platforms, with companies like Microsoft offering up to USD250,000 for a single exploit solution1. This revelation spurred a critical question: if a researcher could earn such rewards, how much more could a malicious actor gain by exploiting the same vulnerabilities?
The growing threat landscape
Today, most organisations are consolidating their IT providers for the sake of simplicity. However, this brings a significant risk: the more ubiquitous technology becomes, the more attractive it is to cybercriminals. A single vulnerability in a widely used platform like Microsoft, Google, or Amazon Web Services (AWS) can potentially impact millions of users. The odds are increasingly in favour of cybercriminals, who only need to find one exploitable flaw to wreak havoc on a massive scale.
Understanding CVEs and their impact
Common vulnerabilities and exposures (CVEs) are identifiers for specific security flaws in software. Each CVE is scored based on its severity and the likelihood of exploitation. With approximately 80 new CVEs discovered daily2, the challenge for organisations is immense. Traditional vulnerability scanning once a month is no longer sufficient; continuous monitoring is now essential to stay ahead of potential threats.
Systemic cyber risk in action
Major software company, SolarWinds, experienced a breach that demonstrates a prime example of a systemic cyber incident. An update to SolarWinds' software contained malicious code and allowed unauthorised remote access to numerous organisations and government agencies. Despite the availability of patches, organisations that failed to respond promptly faced significant disruptions3. Another historical example of a systemic cyber-attack is the WannaCry ransomware attack that affected thousands of businesses globally, including 40 UK hospitals4. This led to delayed treatments and surgeries, cancelled appointments, and a huge wake-up call for directors to the dangers of IT vulnerabilities.
Gallagher’s Cyber Defence Centre and the importance of speed
The difference between organisations that successfully mitigate systemic risk and those that suffer from it often boils down to speed. Rapid identification and remediation of vulnerabilities are crucial. To combat systemic risk, Gallagher has developed the Cyber Defence Centre, with automated tools and continuous monitoring capabilities designed to ensure that organisations can address vulnerabilities as soon as they are discovered.
By continually scanning for vulnerabilities, Gallagher’s Cyber Defence Centre can provide real-time updates and fixes, enabling organisations to respond swiftly to cyber incidents. We can help ensure that your organisation is not only aware of potential threats but is also equipped to address them swiftly and effectively.
How Gallagher can help
Gallagher’s Cyber Defence Centre is an ongoing package of support and is available here to explore as a one-month free trial*. We can also conduct an open-source intelligence search to double-check what is currently known about your organisation’s network and potential vulnerabilities. Please contact us for details.