WEF’s Global Risks Report 2023 keeps cybersecurity on the agenda.
2022 was a difficult year for enterprise security, with russia’s war against Ukraine emboldening cybercriminals and ransomware-as-a-service beginning to thrive. Unfortunately, the Global Cyber Security Outlook 2023 from the World Economic Forum (WEF) and Accenture anticipates that the threat landscape could be getting worse.
WEF’s and Accenture’s research found that 86% of business leaders and 93% of cyber leaders believe that global geopolitical instability is likely to lead to a catastrophic cyber event in the next two years.
In addition, the report found that geopolitical uncertainty was forcing organizations to adjust where they invest, with 49% of business leaders and cyber leaders claiming they would “re-evaluate the countries in which their organization does business” in response to geopolitical risk.
On a more positive note, the study also found that organizations that embed cyber risk into the decision-making process are more confident in their cyber resilience and better able to recover from cyberattacks.
GEOPOLITICAL CONFLICT WILL PROVIDE AN OPPORTUNITY TO START THE CONVERSATION ABOUT RISK
While it remains to be seen whether these predictions of a catastrophic cyberattack will come to fruition, there have been several high-profile breaches over the past few years with enough momentum to be considered catastrophic.
One of the most notorious occurred in 2020. The SolarWinds supply chain attack resulted in the compromise of 100 companies and nine federal agencies. Likewise, in 2021, the Colonial Pipeline ransomware attack forced the organization to shut down 5,500 miles of pipelines.
With the russia-Ukraine war continuing, the report finds that geopolitical risk “is an entry point for the wider conversation between security leaders and business leaders on how cyber threats are changing,” and how risk can impact business continuity planning.
Having that conversation is critical for mitigating the risk created by emerging cyber threats. How those threats will manifest is up to debate, but Jon France, CISO of (ISC)2, argues ICS/OT compromise is the most likely avenue for a large cyber event.
“I think we may see a significant event in the next year, and it will be one in the ICS/OT technologies space. Due to long life, lack of security by design (due in many cases to age) and difficulty to patch, in mission critical areas — an attack in this space would have immense effects that will be felt,” France said.
“So I somewhat agree with the hypothesis of the report and the contributors to the survey. You could already argue that we have seen a moderate attack with UK Royal Mail, where ransomware stopped the sending of international parcels for a week or more,” France said.
France argues that organizations can insulate themselves from these threats by putting more resources into defensive measures and by treating cybersecurity as a board issue.
Key steps include Implementing responsive measures, providing employees with exercises on how to react, implementing recovery plans, planning for supply chain instability, and looking for alternative vendors who can provide critical services in the event of a disruption.
A GAP BETWEEN CYBER-RISK AWARENESS AND ACTION
Another key finding from the report is that in many organizations, there is a gap between awareness of cyber threats and implementing the necessary actions to mitigate these risks.
For instance, while 86% of business leaders believe there will be a catastrophic cyber event in the next two years, and 43% believe an attack will affect their organization in the next two years, only 27% believe their organizations are cyber-resilient.
“This is like saying you are fairly certain water will flood your house and there will be significant damage, but you are pretty sure you are not prepared for it,” said Paolo Dal Cin global lead of Accenture Security.
As a result, security leaders need to enhance internal communication with the board if they want to implement cyber-risk management into top-down decision-making. One way to improve communication is to get better at translating risk into business outcomes.
“Business leaders know they have to do more to embed cyber-risk into decision-making because cyber-resilience equals business resilience. It requires a closely coordinated team effort across the C-suite to gain a clearer view of current and emerging risks so security can be embedded across all the strategic business priorities and protect the digital code,” Dal Cin said.
RETRAINING IS THE ANSWER TO THE CYBER SKILLS GAP
Finally, the report prescribes ways that organizations can work to fix the cyber skills gap. This comes down to better-using generalists as well as specialists to secure the environment.
“People think that cybersecurity is something that’s highly technical. Yes, some roles require deep technical expertise, but cybersecurity is a vast domain and making an organization cyber-resilient also requires generalist roles that need a broader skill set, from education and awareness to policy writing, governance and others. We need more people in both the technical and generalist roles,” said Bobby Ford, senior vice president and chief security officer, Hewlett Packard Enterprise.
Rather than competing for a small cross-section of highly qualified cybersecurity experts who are in high demand, organizations should look to help increase the flow of cybersecurity talent into the workforce by expanding the talent pool.
In practical terms, the report suggests “broadening the narrative about who can work in cybersecurity.” This means enabling and/or educating people with non-technical backgrounds, as well as those outside the education system and those from underrepresented groups — opening the door to retraining opportunities via learning on the job or through apprenticeships.