Leveraging digital FDI for capacity and competitiveness: How to be smart
Matthew Stephenson, Lorraine Eden, Michael Kende, Fukunari Kimura, Karl P. Sauvant, Niraja Srinivasan, Lucia Tajoli, James Zhan Policy Brief
COVID-19 has created new challenges for many sectors as they transform and adapt to an operating model in which “working from anywhere” has become the “new normal”. This policy brief aims to recommend policy changes by political leaders to be proactive in the current climate of increased cybersecurity risks to due to this “new normal” and the exponential growth of the IOT.
The proposed approach is to establish a formal cybersecurity policy that is people-centric and enabled by technology. The recommendations are to foster a risk-based methodology and establish processes to minimize cybersecurity risks and data privacy issues among people and critical infrastructure assets.
According to the Gartner Forecast on the Information Security and Risk Management Spending Worldwide Report, annual spending on cybersecurity by organizations is forecast to grow by 12.4% from 2020, reaching US$150.4 Billion in 2021 [1].
However, the estimated costs of the impact of cybercrime increased from US$3 Trillion in 2015 to US$6 Trillion in 2021, with a projected estimated increase to US$11 Trillion by 2025. These estimates are found in Cybersecurity Ventures publication [2], “Cyberwarfare in the C-Suite 2021 Report,” but are not limited to them. The figure below shows the detailed costs of cybercrime according to security expert Cyfirma.
COVID-19 and the exponential growth of sensor networks have catalyzed a digital revolution worldwide. Smartphones, tablets, and other handheld devices have now become the keys to the city, putting instant information about transit, traffic, health services, safety alerts, and community news into millions of hands.
However, in doing so, governments and organizations that monitor these infrastructures have more grounds to cover. Public, private and open sectors are all involved; unfortunately, there is no defined framework to address the risks and subsequent protection needed to safeguard the critical assets against those risks.
The COVID-19 pandemic catalyzed a digital revolution worldwide. It will and has certainly changed the way we work and interact with each other. Digital adoption and online interactions have skyrocketed since the beginning of the pandemic in early 2020.
According to a study by McKinsey & Company [3], businesses have surprised themselves with the speed and success of their digital initiatives in response to COVID-19. On average, digital offerings have leapfrogged seven years of progress in a matter of months.
Similarly, tech giant Microsoft claimed that its customers, which include top IT and government organizations, have had “two years’ worth of digital transformation done in just two months.”
However, this unprecedented uptake of technology, although feasible and friendly, was adopted hastily, simply because there was no time to use “secure, configure, test, and deploy strategy” for IT Admins of organizations. This has left security holes that have certainly increased the risks for individuals, businesses, communities, and the government agencies alike.
Cybercriminals have taken advantage of this sudden change in work culture and the corresponding change in the corporate technological infrastructure, which can now be penetrated with more ways than previously known to steal confidential information, intellectual property, and/or demand ransom, among other activities.
We have discovered a 600% increase in cybercrime in our survey even a year after the onset of COVID-19—that is, in 2021—and predict that cyberattacks will hit a new high in the year ahead.
Digitalization will harness technologies such as 5G, Internet of Things (IoT), autonomous vehicles, critical infrastructure, Artificial Intelligence (AI), Industry 4.0, cryptocurrency, cloud, virtual augmented reality (VR/AR), and drones.
The widespread adoption of the Internet of Things (IoT) and Industrial Internet of Things (IIoT) in particular is a use case to be watched from close quarters. These connected devices, estimated at 15 billion in 2022, will expectedly grow to 27 billion by 2025, according to CYFIRMA’s Predictions [4]. IoT and IIoT are foundations to smart cities projects with direct impact to not just businesses but also billions of citizens.
IIoT, a sub-sector of IoT, facilitates greater connectivity among equipment, software, and employees in an industrial environment. Although the IIoT market is mostly tied to production-based solutions where automation is key to success, IIoT is quickly growing in capabilities and use cases.
The global IIoT market was valued at about $216.13 billion in 2020 and is expected to grow to about $1.1 trillion by 2028, according to Grand View Research.
As connectivity innovations—such as multi-cloud environments, edge computing, and 5G networks—become more widespread and accessible, we should expect to see more applications of IIoT across global industrial markets.
However, this hyper-connected environment will subject governments and businesses to further cybersecurity risks as it will correspondingly open new avenues for cybercriminals. Thus, there is an urgent need to include all IoT and IIoT products and services into the overall technology infrastructure of the organization with requisite security measures in place.
Against the backdrop of heightened cybersecurity threats and risks, governments have a significant role to play in ensuring that businesses can operate without the constant fear of cyberattacks. Regulatory environment can be improved to build cyber resiliency.
Cybersecurity policies and organizational preparedness are still lacking and have repeatedly been highlighted by various law enforcement agencies around the globe.
Formulation of policies and the training of staff and individuals require specific actions by governmental and business leaders, which again require the inclusion of educational activities from the ground-up level. However, all these require time and effort, and it is thus desirable that the Taskforce 2 of T20 implement the policies recommended in this paper.
Organizations need to ensure they are focusing on getting the basics right when it comes to cyber hygiene. What does that mean?
So, how can this be done?
There must be continuous monitoring so that defenders are aware of the new devices and technologies joining and being adopted into the ecosystem. A full visibility on the external threat landscape to understand threat actors, motives, campaigns and methods will be essential to ensure cyber adversaries do not gain access in the first place.
Additionally, this will create a body of researched data which can then provide insights on threats to the nation and inform the government on strategies to undertake to strengthen the nation’s cyber posture.
Cybersecurity is a complex and sophisticated subject. It can only be understood when you get the basics right. In this policy brief, we propose the “ABC” methodology of understanding cybersecurity:
1. Awareness of Cybersecurity
The proliferation of Industry 4.0, which includes the billions of IoT devices, has only raised the spectre of cybersecurity, making governments, business communities, and end users extra cautious of the risks and exposures of the digital world and the repercussions that it holds.
For this, we recommend the adoption of the following policies:
corporate digital assets, manage third-party cyber risk, and build cyber awareness amongst their workforce.
2. Building Capabilities and Capacities
We recommend the following policies to be adopted in order to develop capabilities and capacities to address the cybersecurity risks, threats, and ensure data privacy:
Like COVID-19, the pandemic of cybersecurity threats has now become an endemic and no one’s data is safe anymore. Organizations are always at risk of being attacked from the external threat landscape; and they are probably, if not equally, at a higher risk of threats from within the organization as well. An organization’s security can be easily crashed by an employee or human error, where careless or ignorant staff members are currently the second assured cause of a serious security breach, according to several studies.
Organizations can therefore not afford to overlook the primary significance of training its employees of the threats and best practices to encounter cybersecurity. So, how well is your organization or employee equipped against highly skilled criminals, malicious hackers or nations that aim to steal data or any other valuable information or service?
A survey, State of IT Security 2019, shows that email security and employee training are the top challenges faced by information technology (IT) security professionals. Despite firewalls and other security software, employees are still the most common entry points for phishers. For a company with more employees, equally, the entry points increase and likewise, it implies an increase in “phish” in the sea.
Cybersecurity training needs to be mandatorily provided to help all employees protect themselves and the company against cyberattacks and threats. Training empowers employees with an up-to-date know-how to recognize and mitigate a cyber threat. By making employees able to identify and eliminate cyber threats, you are strengthening the most vulnerable link in the chain.
With the current IT infrastructure, most hackers use artificial intelligence nowadays. Systems are manipulated such that most breaches involve some kind of human error. Organizations should therefore train their employees to avoid attack from social engineering to protect their fundamental resources for conducting business and flawlessly interact with customers.
Simple and repetitive tasks can be modelled into automated systems. Nevertheless, people will always be behind the operation of any automated task and on the end of every email, chat session or a phone call. People, therefore, present the concept of “human factor” in the crosshairs or cyber attackers. The only defense against such attacks is by education or in other terms, by providing employees with security awareness training.
Topics to cover in employees’ cybersecurity and awareness program are:
Artificial intelligence is a two-edged sword that hackers might employ as a security solution or as a weapon. AI comprises the creation of programs and systems that can exhibit human- like characteristics. The ability to adapt to a specific environment or respond intelligently to a circumstance is one of the traits. Artificial intelligence (AI) has been widely used in cybersecurity solutions, but hackers are also using it to create sophisticated malware and carry out stealth assaults.
AI can be used to execute intelligent attacks that can multiply over a system or network. Smart malware can exploit unmitigated vulnerabilities leading to a full-fledged attack. If an intelligent attack comes across a patched vulnerability, it can adapt to try different ways to attack to achieve its objective.
Artificial intelligence (AI) can be used to construct malware that can imitate trusted system components and be employed in stealth assaults. Cyber criminals, for example, utilize AI- enabled malware to understand an organization’s compute environment, patch update lifecycle, types of communication protocols. As a result, hackers can carry out undetectable assaults by blending into a company’s security environment.
Changing malware behaviour can be hard to rein in. “Multimorphic” malware is fast becoming a reality. State-sponsored threat actor groups are developing malware that cannot be easily detected. This type of “multimorphic” malware can switch seamlessly across stages of a cyberattack, such as reconnaissance, exploit, and exfiltration. Deciphering the actual behavior path of such malware will be difficult as it utilizes complex obfuscation techniques based on selected inputs derived from the target’s unique characteristics. It would be hard to identify this type of malware as there is no historical behavior to track.
To counter these sorts of AI-powered cyberattacks, organizations would need to move away from an “event-centric” cyber defense strategy to an “intelligence-led” approach. In the latter, defenders would gather insights to cyberattacks at the early planning stage and take appropriate action to remediate security gaps. This proactive method requires cybersecurity to utilize predictive capabilities—being aware of cyberattack campaigns at the stage of planning and reconnaissance and not at the stage of weaponization and exploit.
Due to the resource crunch for cyber security expertise, AI-enabled tools and platforms will allow automation to detect and prevent cyber attacks based on the roles defined. This means
such machine-based execution of actions can automatically detect, investigate, and remediate cyberthreats with or without human intervention. It would subsequently prioritize alerts as they emerge, and perform automated incident response.
3. Commitment by Leaders
To minimize the disastrous consequences of cybersecurity breaches, it is imperative for the political leaders of each country to seriously consider the real threats and risks of cybersecurity for government agencies, the business community, and the population at large.
We recommend that the political leadership commit to an Action Plan to address the Cybersecurity threats by formalizing an Inter-Ministerial Taskforce for the CyberSecurity policies and supporting infrastructure.
We also recommend the following specific action items for all the ministries and agencies:
This policy brief highlights the importance of critical paths towards a more protected world against the real threats of cyberattacks and cybercrimes targeting governments, business communities, and society at large. Key takeaways from our paper include:
Gartner, “Garner forecasts Worldwide Security and Risk Management Spending to exceed $150 Billion in 2021”,
https://www.all-about-security.de/english-news/gartner-forecasts-worldwide-security-and-risk- management-spending-to-exceed-150-billion-in-2021, accessed June 2022
Cybersecurity Ventures (2021), “Cyberwarfare in the C-Suite 2021 Report”
McKinsey and Company (2022), “COVID-19: Implications for Business”, April 13, 2022, https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/covid- 19-implications-for-business, accessed June 2022
CYFIRMA (2022), “Cybersecurity Predictions 2022”,
https://www.cyfirma.com/cyfirma-cybersecurity-predictions-2022/, accessed June 2022
CYFIRMA (2022), “The Case of External Threat Landscape Management” https://www.cyfirma.com/the-case-for-external-threat-landscape-management/, accessed June 2022
ABOUT THE AUTHORS
ABOUT SMART CITIES NETWORK
Smart Cities Network is a global platform for thought leadership, business intelligence, knowledge sharing and creating business opportunities for the smart city global community.
It is a not-for-profit individual membership-based organization, whose members are professionals with expertise in a wide variety of themes, aligned to the various frameworks and digital transformation roadmaps.
Our aim is to develop an ecosystem where thought leaders, innovators, consultants, analyst, networkers, government, private and public organizations can come together to work collaboratively.
Together, we want to build inclusive, sustainable and smart cities that are physically and digitally secure, respectful of our natural environment, improving the quality of lives, developing a competitive economy and aligned to the UN Sustainable Development Goals.
ABOUT CYFIRMA
CYFIRMA is an external threat landscape management platform company. We combine cyber intelligence with attack surface discovery and digital risk protection to deliver predictive, personalized, contextual, outside-in, and multi-layered cyber-intelligence.
We harness our cloud-based AI and ML-powered analytics platform to help organizations proactively identify potential threats at the planning stage of cyberattacks. Our unique
approach of providing the hacker’s view and deep insights into the external cyber landscape has helped clients prepare for upcoming attacks.
CYFIRMA works with many Fortune 500 companies. The company has offices located in the USA, EU, Japan, Singapore, and India.