We are living in the middle of a digital revolution that is far from finished. By the end of this decade, there will be tens of billions of devices connected to the Internet. An increasing share of global GDP is being produced online, but even companies in the most traditional of industries that have existed for thousands of years ? like, say, goldmining ? are using computer networks extensively and digital industrial control systems to run their businesses. It is impossible to operate a successful global company today without using digital technologies.
This means that virtually all large companies in the world, no matter what industry, have at least one thing in common: they all face the risk of a damaging cyberattack. It is important to understand that our digital infrastructure is inherently vulnerable. Even today, security is not always a top priority for software developers, and with the number of connected devices forever on the up, the risks are only multiplying. Some industries are more concerned about cybersecurity than others. The better prepared companies typically come from sectors that have traditionally been victims of very damaging cyberattacks, like oil and gas. But in the last few years we have seen so many high-profile data breaches that it is absolutely clear that cybersecurity must be a board-level priority for any company serious about the sustainability of its business. Even the entertainment industry can become a target ? as we saw from the attack on Sony Pictures.
In the past two decades, cybercrime has evolved dramatically and has become a truly global menace. We estimate that tens of thousands of hackers are involved in this criminal business, and the damage they are causing to the global economy is in the range of hundreds of billions of dollars every year. Modern gangs are well-structured and organised, and they are learning fast ? including from the most advanced government-grade cyberattacks.
In the past, there was a clear distinction between cybercrime gangs and traditional organized criminal groups involved in drug trafficking, racketeering, smuggling and prostitution. That difference does not exist anymore: cybercrime has become more and more organized and is merging with traditional 'mafia'. An example: this year, my company participated in a large-scale investigation jointly with several police forces and INTERPOL, which exposed a crime ring called Carbanak that staged advanced cyberattacks on banks and stole up to a billion US dollars from dozens of financial institutions. The gang was highly professional and it employed high-level software engineers.
The issue of corporate cyber-espionage is also an extremely serious problem for many businesses around the world. The tools such groups are using are getting gradually more and more sophisticated and stealthy, and the damage they are causing is also on the rise.
Any large organization that would want to build serious cyber defences should understand that it needs to have a comprehensive solution, one that includes education, training, and security policy auditing to identify possible weak spots. And it cannot be limited to out-of-the-box software: a company should keep in mind that there are many different potential attack scenarios, and I would recommend being somewhat paranoid and trying to envisage every single one of them to be prepared for the worst. It is important to build several layers of security. An example: access to the most crucial data (or processes) should be both limited and monitored.
The problem is that strong cyber defences can become a hindrance to seamless business operations. Security checks, strong passwords and double authentication are obviously not making lives easier. But we have to accept at least some compromises, just like we have become used to security checks at airports. Otherwise, computer networks are likely to be relatively easy to hack, and the cost of just one breach can be enormous.
It is important to remember that there is no such thing as 100% cybersecurity; however, it is possible to design and build defences to make a cyberattack prohibitively costly to stage. Security is an ongoing process ? an arms race between defensive and offensive cyber-technologies; and forever improving it is the only way to stay maximally protected from cyberattacks.
Eugene Kaspersky is Chairman and CEO of Kaspersky Lab.