The World Economic Forum (WEF), which met virtually in January 2022, warned of the increasing global risks from cybersecurity failures. The WEF’s 17th annual Global Risks Report cites the world’s growing dependency on digital systems as fundamentally changing societies. It is a trend that has been intensified by the Covid19 pandemic.
The WEF report notes that at the same time as the world’s digital dependency increases, cyber threats are growing too. Worryingly it states that such risks are “outpacing societies’ ability to prevent or respond to them effectively”.
Cyber-crimes such as online fraud, identity theft and ransom attacks have grown in number and mutated rapidly over the last decade. These attacks can be expensive and sometimes catastrophic for individuals and organisations. But, how much greater will the risks be if state-sponsored actors or governments wage cyber warfare?
The battlegrounds of the future and how to prepare
All organisations need to assess their cybersecurity risks and respond according to the particular level of threat they face. There are a range of threat vectors, from state actors to ‘common criminals’.
Government has a key part to play in the overall protection of both individual nations and in protecting the global economy from these threats:
- It must ensure that the protection of a nation’s critical infrastructure – physical and digital – is maintained
- It must ensure legislation is in place and enforced so that all organisations that hold data to do business protect it and the systems using that data. Third parties, like citizens, customers and patients, whose data is held, must be protected from its loss. In addition, investors in public companies must be protected from loss of shareholder value if a business is attacked
- Vendors of technology and service providers building solutions should be required to ensure security by design.
The UK government has a range of GDS (Government Digital Service) standards. They are mandated for organisations delivering to the public sector. All organisations, whatever the sector, should also ask their suppliers to meet these standards.
Is enough being done to enforce the law?
Unfortunately, UK law enforcement is not yet fully addressing the increasing challenges of cyber-crime and cyber-enabled crime. Action Fraud, the UK’s national reporting centre for fraud and cyber-crime, shows that there were 446,699 cases of such fraud over the last 13 months. While important steps are being made, the statistics of crimes reported on Action Fraud leading to convictions are very poor.
The military response is more robust. In 2018, the Army folded electronic warfare personnel into the cyber branch. It has converged around an emerging concept termed CEMA (Cyber and Electromagnetic Activities). The new CEMA capabilities being deployed and an indication of how we will provide both offensive and defensive cybersecurity are explained here. The requirements needed are described in this paper.
The key need is to ensure that the National Cyber Force comprises a strong Reserve Forces group. Its day job is to protect British industry using the skills acquired through their Reserve Forces training. This is because state actors can now combine multiple threat vectors from online misinformation campaigns, false flag operations and funded non-attributable para militaries. Combined with traditional kinetic weapons of bullets, bombs, tanks, missiles and even WMD, these increase risk.
The changing face of warfare
In the last century, Field Marshal Montgomery asserted that only infantry could hold ground. In this century, will future wars be waged primarily in the digital world, with the potential results being even more wide-ranging and crippling?
The Ukraine conflict shows us how the traditional all-arms model of infantry, artillery and tanks of WW1 has now evolved to include electronic warfare, information superiority and cybersecurity. The 2022 WEF report says, “already-sharp tensions between governments impacted by cyber-crime and governments complicit in their commission will rise as cybersecurity becomes another wedge for divergence, rather than cooperation, among nation-states.”
The implications of digital dependency
Let’s return to the perspective of Western businesses and risk management, whether from a state actor or criminal organisation. Businesses might have seen cyber-crime as a threat directly to their organisation and taken protective measures accordingly.
However, cyber security cannot be a tick-box, one-off activity that is thought of as complete. It has to be an ongoing programme which runs 24/7. It is important to have a cybersecurity tool which can structure, drive and document your activities. Workflows and automatic reminders will keep employees up to date with what they need to do and ensure security tasks are completed and logged.
All types of systems, infrastructure and entry points must be addressed. Outward-facing ecommerce systems such as online retail are obvious ways into a business. Therefore, organisations cannot forget the key systems of record which keep them up and running and in business day-to-day.
Business-critical systems such as accounting, payroll and manufacturing are often considered legacy IT. But if they are attacked, the results can be catastrophic. It comes at a time when more employees are accessing such solutions from home rather than in a secure work environment.
Organisations must remain vigilant for their own security. However, the WEF Risks Report highlights that now the focus needs to widen. It is time to look at how resilient your organisation will be if your supply chain is disrupted or national infrastructure is attacked.
What are the new key risks in this rapidly changing geo-political environment? Is it better or worse from a security perspective to have some or all of your systems running in the cloud? Is your key data held offshore – if so, where? Is your global supply chain secure and are there obvious points of threat and failure? What plans are in place if one or more of these points did fail?
Protect your data assets
The development of data analytics tools over the last decade has seen people start to talk about data as the new oil. That is to say, the vital resource that keeps businesses running and as such, it is a highly valued asset.
The current crisis in Ukraine and its global repercussions highlight other similarities between data and oil. Data is what powers today’s economy. Organisations need to protect it and look at building resilience and alternatives.
When did you last review and test your backup and recovery plans? Has your systems environment changed since those plans were made? Are all places where data is generated and held known and covered by recovery plans, especially now that more employees are working remotely?
Recent years have witnessed significant shocks to the global economy. These should serve as a warning to businesses of all sizes that they must look again at the major risks they face and how they are changing. As the WEF has highlighted, cyber threats are near the top of organisations’ short-and medium-term risks. Now is the time to act with a review of your organisation’s risk and resilience.