Here’s how business leaders can prepare for systemic cybersecurity events

Geopolitical instability has changed the landscape in which companies, governments and citizens operate, making cyber risk more volatile and difficult to manage. At the same time, organisations are more reliant than ever on shared technical infrastructure and service providers. This increases the likelihood of a cyberattack becoming a ‘systemic cybersecurity event’, characterized by cascading effects across communities, economies, and governments.

In January 2023, a group of information security researchers announced they had found vulnerabilities in common software used in private cars and other vehicles. If exploited, these vulnerabilities could have allowed attackers to remotely track and control fleets of private cars and even emergency vehicles, according to Cyberscoop.

Thanks to the efforts of these ethical car hackers, and a collaborative response from the companies affected, the vulnerabilities in these vehicles have all been patched. But when security vulnerabilities like these are attacked, the results can be unexpectedly disruptive. In early 2022, an attack on Ukrainian military communications that relied on services from the private company Viasat accidentally knocked out electricity producing wind-farms across central Europe.

In 2021, a cyberattack on the low-profile IT service provider Kaseya caused Swedish supermarkets to quite literally close their doors. These can also have sometimes catastrophic economic consequences, such as the NotPetya attack in 2017 that caused chaos in international shipping.

Cybersecurity events like this show rapid propagation across systems, collateral damage to organisations beyond the intended targets, risks concentrated at single points of mutual vulnerability, mitigation and response requirements beyond any one organization’s control, and large economic and societal impacts.

The Global Cybersecurity Outlook 2023 report from the World Economic Forum in partnership with Accenture, reveals that 93% of cyber leaders and 86% of business leaders think it is “moderately likely” or “very likely” that global geopolitical instability will lead to a far-reaching, catastrophic cybersecurity event in the next two years.

Most respondents, across all sizes of organizations, told us that geopolitical instability had influenced their cybersecurity strategy. A significant segment (50%) said that cyber risk was a factor in re-evaluating the countries with which they do business. Likewise, cybersecurity is increasingly a factor influencing how governments decide which companies to interact with. These decisions can have knock-on effects across the private sector.

Respondents who reported successful changes in their cybersecurity strategy also said they had organizational structures in place that supported interaction among cyber leaders, and business leaders across functions and boards of directors. These structures encouraged collaboration on digital resilience across business activities.

Perhaps because of this mix of geopolitical instability, headline-grabbing cyberattacks and regulators placing more responsibility for cyber risk management directly on boards, organizational leadership has begun to listen to their cybersecurity executives.

The Global Cybersecurity Outlook 2023 shows that the business and security leaders’ perspectives on the importance of cyber risk management are converging. A shared understanding of the benefits of effective cyber risk management is also emerging with more than 39% of leaders surveyed agreeing that “cybersecurity is a key business enabler”.

Most business and cyber leaders agree that incorporating cyber-resilience governance into their business strategy, as recommended in the Forum’s Principles for Board Governance of Cyber Risk, is one of the most impactful principles when it comes to cyber resilience.

Compared with 2022, cyber executives are now more likely to see data privacy laws and cybersecurity regulations as effective tools for reducing cyber risks across a sector. This is a notable shift in perception from the 2022 Outlook report. Despite the challenges associated with compliance within each organisation, cyber leaders acknowledged that regulation incentivizes much-needed action on cybersecurity across a sector.

Perhaps because of the mix of geopolitical instability, headline-grabbing cybersecurity events and regulators placing more responsibility for cyber risk management directly on boards, organizational leadership has begun to listen to the concerns of cyber leaders.

One executive interviewed for the Global Cyber Outlook report explained: 'Boards’ understanding of their responsibility and duty of care has improved. In larger or regulated firms, this awareness has been helped by the interlocking committees that give several board members quite a bit of exposure to questions of digital transformation, information security, business continuity and cyber resilience.'

While boards are more aware of cybersecurity than before, many board-level executives struggle to determine which questions are best suited to assessing information provided by their cybersecurity teams. This is an obstacle to making informed and risk-based decisions. Cybersecurity and business leaders must learn to effectively translate their cyber risks into enterprise risk, and into the right operational and tactical measures to mitigate those risks.

Cybersecurity leaders should use less technical jargon when speaking with business leaders. Boards of directors should help cybersecurity leaders understand what assets and processes must be prioritized for protection. Boards should then make themselves accountable for these priorities once they are set because cybersecurity resources are rarely sufficient to effectively defend all parts of an organization all of the time.