Business leaders and cybersecurity executives expect that a catastrophic cyber incident with far-reaching global ramifications will occur before 2025.
The prediction comes from the World Economic Forum’s (WEF’s) Global Cybersecurity Outlook 2023 insight report, which found that 93 percent of cyber leaders and 86 percent of business leaders surveyed said that it is “moderately likely” or “very likely” that global geopolitical instability will cause such an event to happen.
“The geopolitical events of the past year have significantly influenced cyber strategy and tactical cybersecurity operations across the globe,” the report explained. “Efforts are being made to strengthen internal policies and processes, as well as to increase the effectiveness of cybersecurity controls with third parties. This suggests that organizational responses to cyber risk being undertaken now will have a positive long-term impact.”
These conversations have resulted in business practice changes, such as strengthening policies and practices for engaging in direct-connection third parties, strengthening controls for third parties that process corporate data, and re-evaluating the countries that the organization does business with.
“Geopolitics arising from the Russia-Ukraine war have also altered how we think about our threat environment,” said one respondent in an interview with the report’s authors. “We have needed to spend time and resources on understanding how the threat landscape has changed, whether the difference in the attacker’s motivation makes us more likely to be targeted, what will be attacked, and how it might be attacked.
“We are now using more resources for active monitoring of the threat picture compared to 12 months ago,” the respondent continued. “We focus on our tactical and short-term (three month) planning and becoming less detailed in our three- to 12-month planning as the environment is so volatile.”
This feeling is not necessarily out of place following a year where Russia has been engaged in a physical and digital war with Ukraine and where cybercrime and new methods of intrusions continue to proliferate. It’s one thing to say your organization is cyber resilient. It’s quite another, however, to put it into practice.
It may approach buzzword status, but cyber resilience has a different definition depending on the person you’re asking. In its most recent Security Outcomes Report: Achieving Security Resilience, Cisco asked more than 4,700 security practitioners to define cyber resilience.
“It’s kind of like nailing Jell-O to a wall,” says Wendy Nather, head of advisory CISOs for Cisco. “We started out by quizzing executives on what resilience meant to them, and they said, ‘Don’t have any incidents to begin with.’ That’s not how I would define resilience—happening after the bad thing happens.”
This definition may stand out because when asked to elaborate on resilience-impacting incidents their organizations had experienced, the practitioners listed network or data breaches (51.5 percent of respondents), network or system outage (51.1 percent), ransomware event (46.7 percent), and Distributed Denial of Service (DDoS) attack (46.4 percent).
These types of incidents had widespread ramifications for the affected organizations, including IT/communications interruptions (62.6 percent), supply chain disruptions (43.3 percent), impaired internal operations (41.4 percent), and lasting brand damage (39.7 percent).
“Nowadays, more security incidents are affecting operations. They’re not just a theoretical thing that might get you some headlines which are not very flattering, but it’s not stopping your day-to-day,” Nather explains. “These, especially ransomware or denial of service attacks, are definitely going to be affecting your operational resilience.”
Because of this, executives are placing a higher emphasis on cyber resilience: 95 percent of business executives said cyber resilience is integrated into their enterprise risk management strategy, according to the World Economic Forum’s Global Cybersecurity Outlook 2023 insight report.
“In addition, most business and cyber leaders also agree that incorporating cyber-resilience governance into their business strategy is one of the most impactful principles when it comes to cyber resilience,” the forum’s report found.
Having this level of executive support is crucial for making the organization cyber resilient. In fact, it’s one of seven success factors for resilience that Cisco identified in the course of its research.
“Organizations that report poor support from top executives exhibit security resilience scores that are 39 percent lower than those with strong backing from the C-suite,” according to Cisco’s report. “The real puzzle, of course, is how to garner the support of executives.”
This is where the other six success factors come into play: cultivating a culture of security; holding resources—including extra personnel—in reserve; simplifying hybrid cloud environments; maximizing zero trust adoption; extending detection and response capabilities; and taking security to the edge.
The War’s Effect
Security and risk management advisory service provider The Chertoff Group has been working with clients for years to address physical and cybersecurity resilience. Part of that work has been communicating to clients the unique risk Russian threat actors pose to corporate and critical infrastructure systems due to their sophisticated abilities.
“We’ve seen that through one of the first successful cybersecurity attacks with physical consequences through the Russian attacks on the Ukrainian electric grid,” says David London, managing director, cybersecurity, at The Chertoff Group. “It caused blackouts and issues with industrial control systems. [Russia] has the ability to cause this impact.”
Ahead of Russia’s invasion of Ukraine in February 2022, London says his firm was especially watching the potential for Russia to exploit weaknesses in the software supply chain to weaponize it. As tensions ramped up and Russian troops began to engage in kinetic warfare, London adds they went from a “posture of wait and see” to “acute reactionary mode where organizations were seeking to move their physical operations or IT operations out of the region” to maintain their business and protect employees.
For instance, The Chertoff Group helped clients pull their business teams out of Ukraine and Russia, move IT workloads from high-risk exposure areas to more secure locations, and migrate engineering talent pools from Eastern Europe, the Baltics, and Russia.
London and his team also worked with executives to help them understand what their third-party dependencies were and how they might need to be mitigated to maintain operations based on various scenarios.
“We were helping them understand not just what is happening but thinking over the horizon to even some potentially unsavory outcomes that could include Russian airstrikes around supply routes in Poland and Lithuania that cut off essential supplies to general populations and businesses,” London says. “Or cyberattacks on critical infrastructure in countries not directly involved in the conflict but supporting the conflict.”
This could include Western technology service providers that were doing work with Ukrainian businesses and agencies or NATO members. Clients not within the immediate conflict zone were also looking at how to increase their resiliency in response to calls from government officials to adopt a “Shields Up” approach to spillover cyber activity, like that raised by the U.S. Cybersecurity and Infrastructure Security Agency in March 2022.
The potential targeting of Western technology service providers “enforced the need for organizations to unpack and visualize the ecosystem of their supply chains to understand what those cascading impacts could be,” London adds.
While Russia continues its aggression in Ukraine, elsewhere on the globe some organizations are thinking through the steps they took towards that conflict with their operations in China—which has a much more significant and sizable market for business.
“Most of our clients are concerned about their data and their data being exposed or exfiltrated from their own network,” London says. “For example, organizations that are holding their sensitive client data or holding their own proprietary intellectual property or potentially U.S. government sensitive information, they’re looking to insulate to the highest extent possible.”
Many companies are not looking to close their operations in China yet, but given security laws introduced in the country and changing regulations organizations are reassessing what they need to do to be resilient while protecting their assets.
“We’re working with clients to identify what their operation is, what’s essential, what they could do without, and then building separate enclaves and designing workarounds,” London adds.
The Time Factor
Resilience isn’t built overnight. To become one of the organizations that can withstand a major cyber disruption or event—an organization with those previously identified seven attributes of success—requires a cultural shift and resource investment.
The starting point for many organizations is to improve communication between security practitioners and business leaders. The WEF report recommends starting from a shared reference point—such as geopolitical concerns or personal digital security—to start a discussion.
“Cybersecurity leaders should use less technical jargon when speaking with business leaders,” the WEF report explained. “Boards of directors should help cybersecurity leaders understand what assets and processes must be prioritized for protection. Boards should then make themselves accountable for these priorities once they are set because cybersecurity resources are rarely sufficient to effectively defend all parts of an organization all of the time.”
One way to build on this discussion is to conduct strategic learning exercises with decision-makers to create mutual understanding of enterprise risks.
“Where we see success stories is when organizations convene decision-makers in the same room at the same time and put a viable, compelling, and realistic scenario in front of them to coordinate them and sensitize them to risks in a keyway,” London says, adding that this approach can make business leaders aware of their largest challenges, dependencies, and cascading impacts if a cyber incident occurs.
Additionally, the WEF advised changing organizational design to grant security executives access to senior business leadership—such as the CISO reporting directly to the CEO instead of a CIO. It also recommended building security culture across the organization so all employees understand cyber risks and the role they play in managing them.
Another suggestion to improve cyber resilience involves closing the talent gap, a problem for businesses for nearly a decade. The WEF estimated that at least 2.27 million cybersecurity experts were needed in 2021 to fill all the positions available. It also found that many organizations are simply raising the amount they will pay existing cyber talent, exacerbating the talent shortage by “creating a high turnover of cybersecurity experts from company to company. Paying more is a stopgap that will not solve the longer-term problem.”
Instead, the WEF said organizations need to promote inclusion and diversity efforts to recruit talented individuals from minority backgrounds into the profession, open hiring processes to focus on skills and experience instead of four-year degrees, and prioritize retaining and developing diverse staff members once they are hired.
Implementing these recommendations will require an investment in financial and personnel resources, as well as the most expensive resource in a rapidly changing threat landscape: time.
“One of the biggest barriers to cyber resilience in many organizations is time,” said WEF report respondent Jacky Fox, Europe security lead for professional services firm Accenture. “Business leaders broadly understand they need to become more cyber resilient, but they can’t snap their fingers to make it happen. They know there is a journey to travel to make their organizations cyber resilient, but time is not on their side.”