Forum Institutional

Here’s how business leaders can prepare for systemic cybersecurity events

Geopolitical instability has increased the risk of a systemic cybersecurity event. Davos 2023

Geopolitical instability has increased the risk of a systemic cybersecurity event. Image: Reuters/Dado Ruvic/Illustration

Paolo Dal Cin
Global Lead, Accenture Security, Accenture
Sean Doyle
Lead, Cybercrime Atlas Initiative, World Economic Forum
Michael Rohrs
Security Consulting Senior Manager, Accenture
This article is part of: World Economic Forum Annual Meeting

Listen to the article

  • Geopolitical instability has increased the risk of a systemic cybersecurity event.
  • A new report shows that 93% of cyber leaders and 86% of business leaders think such an event is likely within the next two years.
  • Leaders who integrate cyber risk management into their organisation’s decision-making processes are more likely to report high levels of cyber resilience.

Geopolitical instability has changed the landscape in which companies, governments and citizens operate, making cyber risk more volatile and difficult to manage. At the same time, organisations are more reliant than ever on shared technical infrastructure and service providers. This increases the likelihood of a cyberattack becoming a ‘systemic cybersecurity event’, characterized by cascading effects across communities, economies, and governments.

In January 2023, a group of information security researchers announced they had found vulnerabilities in common software used in private cars and other vehicles. If exploited, these vulnerabilities could have allowed attackers to remotely track and control fleets of private cars and even emergency vehicles, according to Cyberscoop.

Thanks to the efforts of these ethical car hackers, and a collaborative response from the companies affected, the vulnerabilities in these vehicles have all been patched. But when security vulnerabilities like these are attacked, the results can be unexpectedly disruptive. In early 2022, an attack on Ukrainian military communications that relied on services from the private company Viasat accidentally knocked out electricity producing wind-farms across central Europe.

Loading...

In 2021, a cyberattack on the low-profile IT service provider Kaseya caused Swedish supermarkets to quite literally close their doors. These can also have sometimes catastrophic economic consequences, such as the NotPetya attack in 2017 that caused chaos in international shipping.

Have you read?

Cybersecurity events like this show rapid propagation across systems, collateral damage to organisations beyond the intended targets, risks concentrated at single points of mutual vulnerability, mitigation and response requirements beyond any one organization’s control, and large economic and societal impacts.

More resources are being thrown at cybercrime campaigns by criminal groups. There’s a sense that cybercrime is converging with nation-state actors and that this is leading to a higher number of new campaigns being launched as well as attacks that are more clearly tailored to the target organization.”

Derek Manky, Chief Security Strategist and Vice-President, Global Threat Intelligence, Fortinet

How are leaders responding?

The Global Cybersecurity Outlook 2023 report from the World Economic Forum in partnership with Accenture, reveals that 93% of cyber leaders and 86% of business leaders think it is “moderately likely” or “very likely” that global geopolitical instability will lead to a far-reaching, catastrophic cybersecurity event in the next two years.

Global Cybersecurity Outlook 2023: Most organizations expect geopolitical risks to affect their cybersecurity strategy.
Global Cybersecurity Outlook 2023: Most organizations expect geopolitical risks to affect their cybersecurity strategy. Image: World Economic Forum and Accenture

Most respondents, across all sizes of organizations, told us that geopolitical instability had influenced their cybersecurity strategy. A significant segment (50%) said that cyber risk was a factor in re-evaluating the countries with which they do business. Likewise, cybersecurity is increasingly a factor influencing how governments decide which companies to interact with. These decisions can have knock-on effects across the private sector.

Global Cybersecurity Outlook 2023: Most respondents, across all sizes of organizations, told us that geopolitical instability had influenced their cybersecurity strategy.
Global Cybersecurity Outlook 2023: Most respondents, across all sizes of organizations, told us that geopolitical instability had influenced their cybersecurity strategy. Image: World Economic Forum and Accenture

Cybersecurity strategy is about how your organization makes decisions

Respondents who reported successful changes in their cybersecurity strategy also said they had organizational structures in place that supported interaction among cyber leaders, and business leaders across functions and boards of directors. These structures encouraged collaboration on digital resilience across business activities.

Perhaps because of this mix of geopolitical instability, headline-grabbing cyberattacks and regulators placing more responsibility for cyber risk management directly on boards, organizational leadership has begun to listen to their cybersecurity executives.

The Global Cybersecurity Outlook 2023 shows that the business and security leaders’ perspectives on the importance of cyber risk management are converging. A shared understanding of the benefits of effective cyber risk management is also emerging with more than 39% of leaders surveyed agreeing that “cybersecurity is a key business enabler”.

Most business and cyber leaders agree that incorporating cyber-resilience governance into their business strategy, as recommended in the Forum’s Principles for Board Governance of Cyber Risk, is one of the most impactful principles when it comes to cyber resilience.

Global Cybersecurity Outlook 2023: the business and security leaders’ perspectives on the importance of cyber risk management are converging. Davos 2023
Global Cybersecurity Outlook 2023: the business and security leaders’ perspectives on the importance of cyber risk management are converging. Image: World Economic Forum and Accenture

Regulations have impact

Compared with 2022, cyber executives are now more likely to see data privacy laws and cybersecurity regulations as effective tools for reducing cyber risks across a sector. This is a notable shift in perception from the 2022 Outlook report. Despite the challenges associated with compliance within each organisation, cyber leaders acknowledged that regulation incentivizes much-needed action on cybersecurity across a sector.

Perhaps because of the mix of geopolitical instability, headline-grabbing cybersecurity events and regulators placing more responsibility for cyber risk management directly on boards, organizational leadership has begun to listen to the concerns of cyber leaders.

One executive interviewed for the Global Cyber Outlook report explained: 'Boards’ understanding of their responsibility and duty of care has improved. In larger or regulated firms, this awareness has been helped by the interlocking committees that give several board members quite a bit of exposure to questions of digital transformation, information security, business continuity and cyber resilience.'

Discover

How is the Forum tackling global cybersecurity challenges?

How boards can ask the right questions on cyber

While boards are more aware of cybersecurity than before, many board-level executives struggle to determine which questions are best suited to assessing information provided by their cybersecurity teams. This is an obstacle to making informed and risk-based decisions. Cybersecurity and business leaders must learn to effectively translate their cyber risks into enterprise risk, and into the right operational and tactical measures to mitigate those risks.

Cybersecurity leaders should use less technical jargon when speaking with business leaders. Boards of directors should help cybersecurity leaders understand what assets and processes must be prioritized for protection. Boards should then make themselves accountable for these priorities once they are set because cybersecurity resources are rarely sufficient to effectively defend all parts of an organization all of the time.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Stay up to date:

Tech and Innovation

Related topics:
Forum InstitutionalCybersecurity
Share:
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

3:00

This social enterprise uses basketball to get young people back into school

Here's how to mobilize for Sustainable Development Goal 14 ahead of UN Ocean Conference 2025

About us

Engage with us

  • Sign in
  • Partner with us
  • Become a member
  • Sign up for our press releases
  • Subscribe to our newsletters
  • Contact us

Quick links

Language editions

Privacy Policy & Terms of Service

Sitemap

© 2024 World Economic Forum