How to prioritize resilience in the face of cyber-attacks

For organizations large and small, neglecting cybersecurity is increasingly untenable.

The Global Cyber Outlook 2023, released this week at the World Economic Forum’s Annual Meeting in Davos, Switzerland, found that geopolitical and economic uncertainty around the world is exacerbating the threat of potentially catastrophic cyber-attacks, increasing the risk for businesses across sectors.

While progress has been made in bolstering cybersecurity awareness and preparation, there is more that businesses can do to increase resiliency, including improving cyber literacy, communication and information sharing.

In the past year, geopolitical risk roared back to the centre of world affairs, upending supply chains and disrupting major industries ranging from energy to food commodities. New technologies are also evolving quickly, and with these come new vulnerabilities, which attackers – some of whom have strong geopolitical motives – are often swift to exploit.

In fact, the new outlook found that 93% of cybersecurity executives and 86% of their business counterparts view the risk of a catastrophic cyber event occurring within the next two years as either ‘high’ or ‘moderately high’. Such events could include, for example, a crippling ransomware attack or a breach of sensitive consumer data – either of which would cause large-scale disruption and be costly reputationally and financially.

As the report notes, increased risk has already prompted 50% of respondents to reevaluate the countries in which they do business, while others fear business disruption and reputational damage as a result of geopolitical-related cyber-attacks.

The fear of a major attack also, in part, reflects the interconnected nature of operations today. Digital transformation is creating technological interdependencies, the size and nature of which have often yet to be fully understood.

Increasingly, consumer data and technology is shared across supply chains, which means that a cybersecurity event can quickly ‘cascade’ from one organization to another, as well as across borders.

Awareness and the fear of third-party risk has increased rapidly in the past year. A total of 90% of respondents voiced concern about the cyber resilience of third parties, particularly those that have direct connections with, or process, organizations’ data.

As a result, the report reveals that leaders are strengthening controls for third-party access to their organizations (73%) or data (66%), and decision-makers are working to mitigate cyber risk. Notably, business and security executives ranked their highest priority as incorporating cyber resilience into business strategy.

Encouragingly, the tech versus non-tech dynamic that dominated boardrooms for several years is changing. There is an increasing meeting of minds and an improving awareness – particularly on the part of boards – not only about what cyber risks are, but their role in addressing them. Boards are more likely to think about cyber risks and listen to their cyber experts, the report revealing that 56% of security leaders meet with their board at least once a month.

Where there remains a problem is with business leaders clearly articulating the risk that cyber issues pose to their organization. This in turn, makes it harder to agree on how best to address the risk. As the report suggests, cyber experts should present security issues in terms that board-level executives can readily understand and act on, while business leaders should accept greater accountability for overall cyber capacity.

Moreover, finding the right types of people to identify, assess and manage cyber risk as well as deal with a major cyber event is important. To do so, however, the long-running technology talent shortage needs to be addressed.

As the situation stands, 64% of cyber leaders and 59% of their business counterparts, rank talent recruitment and retention as a key challenge when it comes to managing cyber risk. Worryingly, fewer than half of the survey’s respondents reported having the right people with the right skills to respond to cyber-attacks.

Fortunately, a shared understanding of this problem has grown in recent years, making it more likely that the necessary talent recruitment programmes will be developed. This will help create a larger, more inclusive pool of diverse talent, including individuals with crisis management skills as well as an ability to think about problems creatively and differently. It will also help dispel the misconception that cybersecurity is highly technical, which is not always the case.

The report also highlights that business leaders (76%) and cyber executives (70%) are increasingly likely to view data privacy laws and cybersecurity regulations as an effective tool for reducing cyber risk. Compliance can pose challenges, but at the same time, regulation – along with the added pressure of shareholder expectations – is incentivizing cyber security action.

This is positive because to create a security-focused culture, organizations need to find both a common language and metrics that will turn cybersecurity information into something that can be readily measured and analysed.

There is still, however, work to be done in developing clear regulations about what needs to be reported, and when, in the event of a breach. Horizontal (the same level throughout an organization) cyber information sharing has grown and is typically prioritized over its vertical (through all levels) counterpart. Here the report points to the need to embed cyber risk management – and best practice – vertically, suggesting that frequent, meaningful discussions can improve clarity and understanding.

The current focus on geopolitics and third-party risk offers an entry point for a wider conversation about cyber risk. The situation is improving, but insufficiently swiftly for most organizations and businesses to be confident that they are equipped to address a major cyber event. Resilience and preparation should be at the centre of strategy.

To achieve this, cybersecurity experts need to improve how they deliver their messages and data, while leaders must better judge what cyber risk means for corporate governance and investment decisions.

This article originally appeared on Arab News.