Leaders anticipate cyber catastrophe in 2023, report World Economic Forum, Accenture

2022 has been a tough year for corporate security, with the war between Russia and Ukraine encouraging cybercriminals and ransomware-as-a-service starting to flourish. Unfortunately, the Global Cybersecurity Outlook 2023 from the World Economic Forum (WEF) and Accenture expect the threat landscape could worsen.

Research from WEF and Accenture found that 86% of business leaders and 93% of cyber leaders believe global geopolitical instability is likely to lead to a catastrophic cyber event in the next two years.

In addition, the report found that geopolitical uncertainty forced organizations to adjust their investments, with 49% of corporate and cyber leaders claiming they would “re-evaluate the countries in which their organization does business” in response to geopolitical risk.

On a more positive note, the study also found that organizations that integrate cyber risk into the decision-making process are more confident in their cyber resilience and better able to recover from cyber attacks.

Geopolitical conflicts provide an opportunity to start the conversation about risk

While it remains to be seen whether these predictions of a catastrophic cyberattack materialize, there have been a number of high-profile breaches in recent years with enough momentum to be considered catastrophic.

One of the most infamous happened in 2020. The Attack on the SolarWinds supply chain resulted in the compromise of 100 companies and nine federal agencies. Likewise, in 2021 the Colonial Pipeline ransomware attack forced the organization to shut down 5,500 miles of pipeline.

As the war between Russia and Ukraine continues, the report finds that geopolitical risk is “a starting point for the broader conversation between security leaders and business executives about how cyber threats are changing,” and how risk can impact business continuity planning.

Having that conversation is critical to mitigating the risk of emerging cyberthreats. How those threats will manifest themselves is up for debate, but John France, CISO of (ISC)2argues that an ICS/OT compromise is the most likely path for a major cyber event.

“I think we will see a major event next year, and it will be one in the field of ICS/OT technologies. Due to longevity, lack of built-in security (in many cases due to age), and difficulty to patch, in mission-critical areas, an attack in this space would have huge consequences that will be felt,” France said.

“So I somewhat agree with the hypothesis of the report and the survey contributors. You could already say that we have seen a moderate attack with it British Royal MailWhere ransomware stopped sending international packages for a week or more,” France said.

France argues that organizations can insulate themselves against these threats by devoting more resources to defensive measures and by treating cybersecurity as a governance issue.

Key steps include implementing responsive measures, training employees on how to respond, implementing recovery plans, planning for supply chain instability, and identifying alternative suppliers that can provide critical services in the event of a fault.

A gap between cyber risk awareness and action

Another important finding from the report is that in many organizations there is a gap between being aware of cyber threats and implementing the necessary measures to mitigate these risks.

For example, while 86% of business leaders believe a catastrophic cyber event will occur within the next two years, and 43% believe an attack will hit their organization within the next two years, only 27% believe their organizations are cyber-resilient.

“This is like saying you’re pretty sure your house is going to be flooded and there will be significant damage, but you’re pretty sure you’re not prepared for it,” says Paolo Dal Sin, senior managing director, Accenture security lead.

As a result, security leaders need to improve internal communication with the board if they want to implement cyber risk management into top-down decision-making. One way to improve communication is to become better at translating risk into business outcomes.

“Business leaders know they need to do more to embed cyber risk into decision making because cyber resilience equates to business resilience. It requires a closely coordinated team effort within the C-suite to gain a clearer picture of current and emerging risks so that security can be embedded into all strategic business priorities and protect digital code,” said Dal Sin.

Retraining is the answer to the cyber skills gap

Finally, the report describes ways organizations can work to close the cyber skills gap. This comes down to making better use of both generalists and specialists to secure the environment.

“People think that cybersecurity is something that is very technical. Yes, some roles require deep technical expertise, but cybersecurity is a huge domain and making an organization cyber-resilient also requires generalist roles requiring a broader range of skills from education and awareness to policy writing, governance and others. We need more people in both the technical and generalist roles,” said Bobby Ford, senior vice president and chief security officer, Hewlett-Packard Enterprise.

Rather than competing for a small cross-section of highly-skilled cybersecurity experts in high demand, organizations should seek to increase the flow of cybersecurity talent into the workforce by expanding the talent pool.

In practical terms, the report proposes to “broaden the narrative of who can work in cybersecurity”. This means enabling and/or training people with non-technical backgrounds, as well as people outside the education system and people from under-represented groups – opening the door to retraining opportunities through work-based learning or apprenticeships.