Davos leaders reveal world expects catastrophic cyber event

A majority of cyber and business leaders believe that a systemic cybersecurity event will likely occur within the next two years, according to a new report by the World Economic Forum discussed at Davos this week.

The report published by WEF in partnership with Accenture, and conducted by a group of information security researchers, says geopolitical instability has increased the risk of a systemic cybersecurity event and has made managing cyber risk more challenging and volatile for companies, governments and citizens.

In January 2023, researchers announced they discovered vulnerabilities in common software used in private cars and other vehicles. These vulnerabilities, if exploited, could have allowed attackers to remotely track and control fleets of cars, including emergency vehicles. 

Ethical car hackers and the collaboration of affected companies worked together, and these vulnerabilities have been patched. However, this incident serves as a reminder of the potential consequences of exploiting security vulnerabilities. In early 2022, an attack on Ukrainian military communications accidentally knocked out electricity producing wind-farms across central Europe.

These examples illustrate the rapid propagation of cyber attacks across systems, the collateral damage that can occur to organisations beyond the intended targets, and the large economic and societal impacts that can result from a systemic cybersecurity event. The report concludes that organisations that integrate cyber risk management into their decision-making processes are more likely to have high levels of cyber resilience.

“More resources are being thrown at cybercrime campaigns by criminal groups,” says Derek Manky, Chief Security Strategist and Vice-President, Global Threat Intelligence, Fortinet. “There’s a sense that cybercrime is converging with nation-state actors and that this is leading to a higher number of new campaigns being launched as well as attacks that are more clearly tailored to the target organisation.”

Cybersecurity influencing government decisions

The report reveals that most cyber and business leaders believe global geopolitical instability will lead to a catastrophic cybersecurity event in the next two years. The Global Cybersecurity Outlook 2023 report surveyed leaders across different sectors and sizes of organisations and found that 93 per cent of cyber leaders and 86 per cent of business leaders think it is “moderately likely” or “very likely” that a far-reaching cybersecurity event will occur in the next two years.

Geopolitical instability has had a significant impact on cybersecurity strategy, with 50 per cent of respondents stating that cyber risk was a factor in re-evaluating the countries with which they do business. Additionally, cybersecurity is increasingly influencing government decisions on which companies to interact with, which can have knock-on effects across the private sector.

Respondents who reported successful changes in their cybersecurity strategy also said they had organisational structures in place that supported interaction between cyber leaders and business leaders across functions and boards of directors. These structures encouraged collaboration on digital resilience across business activities.

The report also found that organisational leadership is beginning to pay more attention to the concerns of cyber leaders. More than 39 per cent of leaders surveyed agreed that “cybersecurity is a key business enabler”, and most business and cyber leaders agree that incorporating cyber-resilience governance into their business strategy is one of the most impactful principles when it comes to cyber resilience.

Regulation incentivises much-needed cybersecurity action

Compared to 2022, cyber executives are now more likely to see data privacy laws and cybersecurity regulations as effective tools for reducing cyber risks across a sector. This is a notable shift in perception from the 2022 Outlook report. Despite the challenges associated with compliance within each organisation, cyber leaders acknowledged that regulation incentivises much-needed action on cybersecurity across a sector.

“Boards’ understanding of their responsibility and duty of care has improved,” one executive interviewed for the Global Cyber Outlook report explained. “In larger or regulated firms, this awareness has been helped by the interlocking committees that give several board members quite a bit of exposure to questions of digital transformation, information security, business continuity and cyber resilience.”

The study revealed that board-level executives struggle to effectively assess and understand the information provided by their cybersecurity teams, hindering the organisation's ability to protect against cyber threats. It also suggests that for organisations to effectively address cybersecurity risks, both cybersecurity and business leaders must learn to better translate cyber risks into enterprise risks and develop the appropriate operational and tactical measures to mitigate those risks. 

Additionally, the study recommends that boards of directors play a more active role in understanding their organisation's assets and processes that need to be prioritised for protection, and holding themselves accountable for these priorities.