- Cyber-attacks are on the rise around the world, with healthcare and utilities the most targeted sectors.
- Organizations must not only defend against attacks but be able to recover quickly after a major disruption.
- Business leaders must embed cyber resilience across their organizations to protect against digital threats.
A large number of government and private sector organizations including some of the most sophisticated companies in the world, have fallen victims to cyber-attacks in recent years. Business critical activities have been disrupted, data has been compromised and the threat continues to evolve at a fast pace.
This year alone, many providers of essential services including energy, healthcare, food, and transportation have been hit by ransomware attacks which crippled their operations and had cascading effects on critical functions that our society relies on.
Have you read?
The COVID-19 pandemic has exposed even more opportunities and vulnerabilities. According to a recent report released by Checkpoint, there has been a 102% global surge in ransomware attacks compared to the beginning of 2020, and healthcare and utilities were the most targeted sectors.
How to anticipate and prevent a high impact cyber-attack
By now, most businesses recognize that they have to invest significant amounts of cash and resources in cybersecurity. Collective global spending has now reached $145 billion a year and is predicted to exceed $1 trillion by 2035.
As the number and impact of cyber-attacks continue to rise, we have come to the realization that globally we’re not doing enough about cybersecurity. The current situation is comparable to trench warfare: progress is slow, and the casualties are high.
No company has the resources to fix all cyber issues and not all fixes are equally important. It is only by starting to identify activities that are important to a business, and understanding how attacks could disrupt them, that one could start to prioritize the process of risk mitigation.
Unfortunately, many companies skip the step of identifying these critical business activities which could be disrupted by a cyber-attack and instead focus on individual technologies to fix individual problems in their IT systems. While there is some value in this approach, a company could spend significant resources without addressing the fundamental issue which is to protect the critical business functions for which the products were procured.
What is the World Economic Forum doing on cybersecurity?
The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. The centre is an independent and impartial platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors.
Since its launch, the centre has driven impact throughout the cybersecurity ecosystem:
- Training a new generation of cybersecurity experts
Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible training through the Cybersecurity Learning Hub.
- Building a global response to cybersecurity risks
The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, European Network and Information Security Agency, and the US National Institute of Standards and Technology, is identifying future global risks from next-generation technology.
- Improving cybersecurity in the aviation industry
Through the Cyber Resilience in the Aviation Industry initiative, the centre has been improving cyber resilience in aviation in collaboration with Deloitte and more than 50 other companies and international organizations.
- Making the global electricity ecosystem more cyber resilient
The centre and the Platform for Shaping the Future of Energy, Materials and Infrastructure have been bringing together leaders from more than 50 businesses, governments, civil society and academia to develop a clear and coherent cybersecurity vision for the electricity industry.
- The Council on the Connected World agreed on IoT security requirements for consumer-facing devices to protect them from cybers threats, calling on the world’s biggest manufacturers and vendors to take action for better IoT security.
- The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.
Contact us for more information on how to get involved.
Many companies don’t nearly get the benefits from the investments they make. While there is already a plethora of frameworks and best practice guides aimed at equipping cybersecurity leaders with the tools and knowledge needed to manage cyber risks, business leaders, particularly in SMEs and less mature industries or regions, often struggle to understand the cybersecurity narrative and their responsibilities.
We’re at a crossroad where cyber resilience has become a defining mandate of our time – to anticipate future threats, withstand, recover from cyber-attacks, and adapt to future digital shocks.
Business leaders must be prepared to answer the following questions to reassure their stakeholders:
- How well prepared are we to counter disruptions related to cyber-attacks?
- How well can we withstand the loss of mission-critical functions after a cyber-attack and how quickly can we recover them?
These three principles will help business leaders embed cyber resilience into their organizational culture and structure:
1. Cyber resilience must be governed from the top
There is often a perception from non-technical leaders that the cybersecurity field is so complex that they would need to delegate. By bridging the cyber literacy gap, business leaders will be able to make more effective decisions on mitigation strategies.
Businesses should also ensure that an accountable corporate officer has been nominated and reports regularly and directly to the board and executive committee on cyber risks and resilience.
Moreover, the board and executive committee should discuss with their cyber leaders the critical business activities and any concerns they have about what could go wrong:
- Ask which systems support this activity to help you prioritize, instead of going over which vulnerabilities have to be remediated.
- Learn about the known attacks, and how they would be able to compromise these systems and the potential economic impact.
2. Cyber resilience must be inherent to the business operating model
Business leaders must start looking at cyber resilience as a business imperative to solve and understand what assets and activities are critical and provide competitive advantage to their organization. A balanced approach to cyber resilience will ensure that investments are not only made in defense and preventive capabilities but also prioritized in response and recovery capabilities from a major cybersecurity breach.
Cyber risk profiles evolve rapidly because of transformational initiatives and changes in operating models.
They also differ between industries and vary widely depending on product and services, geographies and regulatory requirements, and geopolitical context.
By developing the cyber literacy of their workforce and adapting the knowledge required to the role and responsibilities of the employee, businesses will be able to better harness the power of technologies while minimizing the risks associated with the human element.
Moreover, companies need to build internal capabilities to deal with change management processes and incorporate some type of cyber risk assurance. It doesn’t have to be an onerous activity, but it is important that business leaders pay attention to the risk they are accepting.
3. Cyber resilience is an enabler of business outcomes
There will never be guarantees that your organization’s cybersecurity practice will be sufficient to fend off the attack you’ll face. However, if business leaders focus on what is important to protect and understand the kind of attacks that would compromise important business activities, they will be more likely to anticipate and be prepared to mitigate the risk of a major attack and recover quickly.
Such an exercise is continuous and dynamic, and often links with business changes – new supply chain partners, new operating models, etc.
Moreover, business leaders should be seeking value- and outcome-based measures and metrics for assessing the efficacy of the security controls implemented, return on investments for the technologies and services acquisitions made and impact on strategic business outcomes.
To fully realise the dividends of their digital transformation, businesses must align their visions with their risk tolerance. If the security risks associated with the proliferation of technology-enabled infrastructure and internet applications are not appropriately balanced with comprehensive cybersecurity strategies and resilience plans, businesses will be unable to achieve the economic growth and prosperity they seek.