Despite the number of malicious cyberattacks growing rapidly in recent years, fear of large-scale cyber warfare may be largely overblown.
Ransomware attacks alone doubled year over year in 2017 at an estimated cost of more than $5 billion, with the total number of cyber incidents growing to 159,700, according to recent data from the Online Trust Alliance. The OTA even estimates that the real number of incidents could be more than 30x the value of reported figures.
However, despite the threat of hackers taking down power grids or meddling with political elections being very real, the industry is increasingly well-equipped to deal with it, according to cybersecurity professionals at Infosecurity Europe, an annual conference for the information security industry in London.
Speaking June 7 on a panel, Paul Midian, chief information security officer at consumer electronics retailer Dixons Carphone PLC, which itself was the subject of a serious data breach in 2015, said that the growing number of attacks is linked to the proliferation of connected devices as the internet of things takes hold.
"[Threats] have escalated in the time I have been in the business purely because there are more devices connected to the internet," Midian told delegates.
At the same time, cyber defenses and the ability to understand and analyze threats have improved, despite the frequent and overwhelmingly negative reports in the mainstream media.
"There's always this myth that the attackers are [getting away with it]. It's not quite true," Midian said.
Among last year's most prolific attacks was the WannaCry epidemic, which impacted an estimated 300,000 computers across 150 countries, crippling government services such as transportation and healthcare.
In spite of this, there is no reason to panic.
Although cyberattacks have become more "confrontational" and "downright traumatic," the number of bad actors is still quite limited, according to Ben Russell, head of cyber threat response at the U.K.'s National Crime Agency.
"Our assessment of the threat is still that a relatively small number of criminals and groups are behind a large percentage of attacks … [they have a] disproportionate impact," Russell told the audience.
Besides, even as cyber threats have transitioned from cases of traditional hacking, including fraud, extortion and identity theft, to more sophisticated government and state-sponsored espionage over the years, national tools used to counter malicious activity have also evolved and become more sophisticated, said Scott Smith, assistant director at the Federal Bureau of Investigation's cyber division.
Nevertheless, the vast majority of utility executives, for instance, believe that disruptions to the power supply from hackers is a serious concern. A 2017 report by Accenture PLC found that approximately 63% of utility bosses view this as at least as a "moderate risk" in the next five years, with that figure rising to 76% for executives in North America.
Meanwhile, 62% of IT decisionmakers in the U.K.'s National Health Service fear that compromised medical devices or networks could result in patients being harmed, according to a survey carried out by VMware Inc. and Intel Corp.
The growing levels of concern can in part be explained by confusion in the public discourse, which is very often exacerbated by media reports, which don't always explicitly distinguish between financially motivated cybercrime and some of the political, nation-state activity, according to Victoria Baines, Principal at Cartimandua Insight.
For instance, the cyberattacks on former Soviet satellites Estonia – one of the first countries to ever come under digital attack – and Georgia between 2007 and 2008 are widely speculated to have been carried out by Russia, but could only be traced back to a group of hackers.
Moreover, Baines pointed out that the global WannaCry attack was initially not designed to be the massive Distributed Denial of Service, or DDoS, attack that it later became known as.
"It was built as ransomware. It fits into that financially motivated bucket, but all of a sudden, it appears to be nation state-related. We are getting more confused," she said.
Together, the cybersecurity industry needs to work harder to "demystify" the threat, Baines concluded, adding that "we need to calm everyone down a bit."
Additional Infosecurity Europe coverage:
GDPR rules help to make privacy by design the new normal
Diversity key to closing UK's cybersecurity skills gap
