Building a cyber resilience strategy for a geopolitically unstable world
Developing a strong cyber resilience strategy is key to protecting against cyber threats in an unstable world Image: Photo by FLY:D on Unsplash
Listen to the article
- Russia's invasion of Ukraine has increased the risk of cyber attacks on businesses and other organizations, such as NGOs and universities.
- To create an effective cyber resilience strategy, it is important to have four critical internal, overlapping cyber-systems in place relating to governance, culture, risk, and crisis management.
- Organizations that have a systematic approach to cyber-risk governance and a culture of cyber-hygiene, cyber-risk management and cyber-crisis management can achieve systematic cyber preparedness and resilience.
As Russia's invasion of Ukraine becomes more entrenched, with important cyber and disinformation components, businesses and other organizations, such as NGOs and universities, must have four critical internal, overlapping cyber-systems in place to build a strong cyber resilience strategy. These relate to governance, culture, risk, and crisis management.
The figure below summarises the thesis of this piece, which is that businesses that have a systematic approach to cyber-risk governance, a culture of cyber-hygiene, cyber-risk management and cyber-crisis management strategies will be able to achieve systematic cyber preparedness and resilience. Vital to surviving and thriving in our tumultuous times.
It is no longer good enough to hope for the best or to ‘acquire' some technical solutions and think of cyber-security as a ‘once and done’ job or something that is optional or siloed. Cyber-security is a multi-system of continuous concern and it's now exacerbated by a global environment of continuous risk and crisis. We are under assault on numerous global fronts – climate, geopolitics, war, infectious disease, humanitarian crises and, yes, cyber and disinformation.
How is the Forum tackling global cybersecurity challenges?
For situational awareness, it is key for businesses and organizations to understand the moment we are living in and the five megatrends that are affecting them in both predictable and unpredictable ways, opening them up to cyber exposure. These trends, more deeply explored in The ESGT Megatrends Manual 2022-2023, are:
1. Geopolitical tectonic shifts catalyzing
2. Climate and war propelling complex risk
3. Technological disruption becoming multidimensional
4. Stakeholder capitalism and ESG intertwining
5. Leadership and institutional trust recalibrating
As the impact of these megatrends squeezes all manner of entities – corporate, social and governmental – a much greater situational awareness that systematically includes a cyber resilience strategy must be the top priority for organizations. Let’s start with a review of where we are:
The geopolitical context of cyber resilience
Since Putin’s invasion of Ukraine in February 2022, several major tectonic geopolitical changes have catalysed, not the least of which is how global democracies have upped their game on cybersecurity collaboration both inter-governmentally, as well as in private/public operational collaboration and in the overall sense of unity that NATO and the EU, for example, have experienced.
The fact that no major cyber-attack, along the lines of Not Petya or Colonial Pipeline, has transpired, however, has the danger of lulling business leaders into a sense of complacency that (a) war-related cyber-attacks will not happen because Western nations have it ‘under control’ or (b) the Russians are too distracted or unable to execute high-impact attacks.
Neither is true. Indeed, several cyber-attack trackers prove otherwise – as this one from The Council on Foreign Relations and this one from the Cyber Peace Institute show.
Moreover, several important developments have taken place that demonstrate that business needs to adopt several critical cyber-systems as part of a continuous strategy of cyber and organizational resilience. This means that:
- Cyber warfare should be thought of more broadly as including information and disinformation warfare.
- Businesses operating in or with Russia will remain prime targets for the rise in hacktivists and anonymous cyber actors taking the side of Ukraine against Russia.
- Businesses should be wary of official and unofficial allies of Russia (China, North Korea, hacker groups, etc) who might take advantage to assist the Russian side of this equation against the loose coalition of democratic nations and multilateral alliances assisting Ukraine.
- Businesses outside of Ukraine, Belarus and Russia may not have experienced major cyber disruptions relating to the Ukraine war yet, but businesses anywhere should brace themselves for disruptions to essential government and business services in the energy, transportation, and financial sectors.
- The role of economic sanctions against Russia may play into the underlying cyber-warfare in ways that are predictable and unpredictable, making businesses on the front lines of implementing some of these sanctions particularly vulnerable.
Four business cyber-system imperatives
In the face of this continuous risk and crisis environment, it is imperative that businesses build overall organizational resilience with the eight elements of the Virtuous Resilience Lifecycle Model shown in the figure below.
Building on our work on cyber-organizational resilience and that of the World Economic Forum, NACD and Internet Security Alliance, below is a depiction followed by a description of the four necessary cyber-systems needed to build overall organizational resilience. Companies that get it, get the best chance at organizational cyber-resilience and surviving and even thriving through the global storm.
1. Systematic cyber risk governance
Systematic cyber risk governance needs to be a core part of the board’s work. Keeping cyber-security on the agenda of the board and the c-suite with at least quarterly updates is a must in this environment. The figure below summarizes how the board must be the driver of cyber-risk governance, always coordinating with the c-suite for strategy and with frontline cyber-managers for implementation.
2. Systematic cyber hygiene culture
This is the second system-wide element that must be omnipresent in an organization beginning with a systematic and intelligent approach to personnel cyber-hygiene education. A critical part of this system-wide culture is to have a set of coordinated, deliberately constructed and synchronous IT systems designed for coordinated information security measures at every level - network and cloud – as well as for prevention, detection and auditing.
3. Systematic cyber risk management
As many experts have pointed out, cyber risk is a business risk and must be part of an enterprise risk management (ERM) system. See the figure below. This is the only way to produce useful and consistent cyber metrics that are part of ERM and cyber-specific dashboards and reports that go to the c-suite and the board. Such metrics are increasingly required for outside stakeholders, such as regulators, too.
4. Systematic cyber crisis management
This means making sure that the nuances and bells and whistles of possible cyber exposure are considered in the creation, development, revision and implementation of organizational crisis management teams and plans, business continuity strategies and tactics and data protection and backup considerations. The figure below suggests that for cyber risks and crises (as for others of significant impact and import), cross-functional teams of internal and external experts need to work in close coordination before, during and after the crisis event.
Also read about the biggest risks facing the world from 2023's Global Risks Report.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
Cybercrime
Forum Stories newsletter
Bringing you weekly curated insights and analysis on the global issues that matter.
More on CybersecuritySee all
Kate Whiting
December 12, 2024