Digital Transformation, Cyber Risks Make Cyber Resilience Essential

While global digitalization and interconnectedness have increased dramatically as organizations responded to the COVID-19 pandemic, so have cyber risks, making it essential that organizations develop cyber resilience.

As organizations confront cyber perils, however, there are significant cyber-security perception gaps between organizations' information security executive and their business executives, according to a recent report.

The World Economic Forum's Global Cybersecurity Outlook 2022 report (January 2022), produced in partnership with Accenture, suggests that the gaps are most prominent in three areas.

• Prioritizing cyber in business decisions. While 92 percent of business executives surveyed indicated that cyber resilience is integrated into their organizations' enterprise risk management strategies, only 55 percent of information security leaders agreed with that assessment.
• Gaining leadership support for cyber security. Some 84 percent of survey respondents reported that cyber resilience is considered a business priority in their organization with support and direction from leadership, the World Economic Forum (WEF) report says. But only 68 percent see cyber resilience as a major element of their overall risk management. The result of that misalignment is that many security leaders say they are not consulted in business decisions, leading to less-secure decisions and security issues, according to the report. "This gap between leaders can leave firms vulnerable to attacks as a direct result of incongruous security priorities and policies," the report says.
• Recruiting and retaining cyber-security talent. The WEF survey found 59 percent of respondents indicating they would find it challenging to respond to a cyber-security incident due to a shortage of skills. "While the majority of respondents ranked talent recruitment and retention as their most challenging aspect, business executives appear less acutely aware of the gaps than their security-focused executives, who perceive their ability to respond to an attack with adequate personnel as one of their main vulnerabilities," the report says.

The WEF cyber-security report is based on surveys of more than 120 global cyber leaders.

The survey found a number of factors driving organizations' cyber-security policies, though 81 percent of respondents indicated that digital transformation is the primary factor behind efforts to improve cyber resilience. The report says that as many as 87 percent of executives are planning to improve their organizations' cyber resilience through stronger resilience policies, processes, and standards for engaging and managing third parties.

The survey also underscored executives' concerns with the ransomware threat. According to the report, 80 percent of cyber leaders emphasized that ransomware is a dangerous and evolving threat to public safety. With ransomware attacks increasing in frequency and sophistication, 50 percent of survey respondents indicated that ransomware is one of their greatest concerns when considering cyber risks.

Social-engineering attacks ranked second among organizations' cyber-risk concerns, followed by malicious insider activity.

The survey found that respondents are concerned about the threat that small and medium-sized enterprises (SMEs) might pose to supply chains, partner networks, and business ecosystems. Among survey participants, 88 percent expressed concerns about the cyber resilience of SMEs in their ecosystem.

To that end, 39 percent of organizations surveyed said they had been affected by a third-party cyber incident in the past 2 years.

Cyber leaders surveyed expressed a desire for clear and productive regulations that would allow and encourage information sharing and collaboration, the report says. More than 90 percent of survey participants report receiving actionable insights from external information sharing groups or partners.

Among the cyber leaders, 42 percent cited infrastructure breakdowns due to cyber attacks as their greatest cyber-security concern, while 24 percent mentioned identity theft, 20 percent ransomware attacks, and 10 percent loss of personal assets after a cyber attack.

Asked what they expect to be the greatest influence on transforming cyber security in the next 2 years, 48 percent mentioned automation and machine learning and 28 percent a remote/hybrid work environment.

The report notes that as organizations' dependence on digital technologies has increased, so has cyber crime. Cyber criminals are becoming more agile, adapting new technologies, and cooperating with one another, the report says. And, ominously, organized crime is engaged in its own digital transformation, according to the report, paying hackers to support criminal activities.

"Europol recently reported that the organized crime groups recruited hackers for phishing, social engineering attacks, SIM swapping, and sending malware to victims to gain control of bank accounts," the report says. "Hiring cyber criminals for service is becoming a widely used and open practice. Additionally, organized crime groups often fold cybercriminals into lawful business operations, further obfuscating visibility between legitimate and criminal actors."

Those "employees" are often located around the world, the report says, adding to the challenge for law enforcement in trying to disrupt their activities.

Cyber criminals can be readily hired on the dark web to engage in a variety of hacking activities, WEF reports, with prices for their services often relatively affordable. While prices vary depending on the nature of the hacking activities required and the victim's profile, an array of services can be assembled for $1,000 or less, according to the report.

Meanwhile, the cost of breaches is high, averaging $3.6 million per incident, the report says, while on average organizations need 280 days to identify and respond to an attack. Breaches can also negatively affect organizations' financial performance, stock prices, and reputations.

The report makes a distinction between cyber security and cyber resilience, defining the latter as "the ability of an organization to transcend (anticipate, withstand, recover from, and adapt to) any stresses, failures, hazards, and threats to its cyber resources within the organization and its ecosystem, such that the organization can confidently pursue its mission, enable its culture, and maintain its desired way of operating."

Creating that cyber resilience and the ability to anticipate and withstand future threats, recover from cyber attacks, and adapt to future digital shocks is crucial, the WEF report suggests.

"This focal shift to cyber resilience will be a crucial development and objective in the next 2 years," the report says. “Cyberattacks are inevitable, and at the core of any future-proof cyber-security strategy stands resilience."