5 ways to protect your organization during cyber conflict

In cyber conflict there are two types of potential victims - those that know they are a target, and those that don’t yet know. The increase in frequency and severity of cyberattacks in Europe at a time when geopolitical tensions are high should prompt senior executives in every organization to think about cyber resilience.

Over the past month, Europe has witnessed many cyber incidents involving critical infrastructure. The recent cyberattack on the major European oil refining hubs of Amsterdam-Rotterdam-Antwerp led to considerable disruption in the loading and unloading of refined product cargoes amid a continental energy crisis. In Portugal, the largest European telecom operator Vodafone had its operations severely debilitated, limiting services in that country. In Belarus, a self-proclaimed cyber opposition group announced that it had effectively hamstrung the national rail network in the middle of ongoing military exercises with Russia. And finally, a flood of smaller cyberattacks have hit Ukraine, with government websites being the target.

Critical infrastructure (CI) organizations generally know they are likely to become targets during cyber conflicts. They have been investing in cybersecurity and are encouraged to collaborate with their peers towards building industry-wide resilience. The World Economic Forum’s Cyber Resilience in Oil & Gas initiative has brought together several industry players with the objective of raising the bar across industry.

CI organizations often have access to special governmental support programs, and sometimes even special threat intelligence. The US Cybersecurity and Infrastructure Security Agency has been especially active lately in pushing out warnings to all companies. However, there is often a discrepancy between how cyber-resilient a company's board think it is, and what the cyber professionals think. In a recent survey by the World Economic Forum, 92% of business executives considered cyber to have been integrated into their enterprise risk-management strategies, while only 55% of cyber leaders agreed.

Attackers often target organizations that are not critical infrastructure. Throughout the Covid-19 pandemic, hospitals were routinely hit by cyberattack, and in January 2022 the International Committee of the Red Cross announced it had been hacked. It is sometimes difficult to decide if an attack of this nature is motivated by criminal or political intent (is it 'ransomeware' or 'ransomwar'?), as cyber criminals may seek to exploit the general confusion of any politicial crisis. All organizations should be aware that it is not a question of whether they are going to be attacked, but when.

1. Create “digital slack” in your organisation

This means not only keeping some obsolete equipment around as potential spares or backup in case you need to replace some hardware immediately, but also being ready to create space in business processes. How vital are video calls? What level of connectivity do you need to keep in touch with your staff in the field, what needs to be prioritised? And if your business depends on high levels of business-to-business or business-to-consumer contact, what are your measures in keeping a minimum level of service in play? What happens when your main customer/ partner/ supplier disappears behind a national-level firewall?

2. Be prepared to deal with attacks on service providers

Consider hedging within and across the range of the services. For instance, cloud providers often allow you to set the “regions” or geographic zones your data is held in, giving you the option to temporarily avoid a general geographic conflict zone, although likely at some operational and regulatory costs. You may also want to invest in secondary relationships in case you need to change providers in a hurry.

3. Review your business continuity management / disaster recovery processes

This helps you to be prepared for both ransomware attacks and debilitating attacks on your external service providers. Apply the 3-2-1 rule for your most important data: have three different backups for each kind of critical data set, on two different media, one of which is stored offsite. Consider regularly changing your backups – one reason ransomware succeeds is either because the ransomware has infected the backups, or restoring from backup is considered to be a too lengthy process.

4. Give your cyber team more leeway

If something needs to be updated, don’t force the cyber team to wait so as to not inconvenience the business – do it as soon as you can. If some services need to be suspended temporarily to shore up your network, on balance that could be a small price to pay compared to the impact of an attack. Perhaps most importantly, allow your cyber team to collaborate with others, through both formal and informal channels.

5. Incorporate cybersecurity expertise into the board

All organizations should have identified a corporate resilience manager at the board level or equivalent. That person will need to take a very wide perspective, and include other risks such as pandemic-related crises. To make sure cyber is adequately represented, consider having either the Chief Information Security Officer (CISO) directly present, or at least plan on regular briefings of the entire board. Overall, the resilience manager and the CISO should consider engaging the board through tabletop exercises to stimulate digital disruption, and the decisions it may require. The World Economic Forum helped produce the Principles for Board Governance of Cyber Risk to help businesses become more resilient against cyberattacks.

Present-day cyber conflict is often associated with apocalyptic images of burnt-out infrastructures and week-long blackouts. These threats are real, but thankfully still very unlikely. A much more realistic scenario of wider political cyber conflict could involve prolonged low-level disruptions to critical infrastructure, and a generally degraded cyberspace and tech environment. As leaders, it is imperative we prepare for such disruptions by embracing cyber resilience practices and business continuity measures.