Leaders anticipate cyber-catastrophe in 2023, report World Economic Forum, Accenture  

2022 was a difficult year for enterprise security, with the Russia-Ukraine war emboldening cybercriminals and ransomware-as-a-service beginning to thrive. Unfortunately, the Global Cyber Security Outlook 2023 from the World Economic Forum (WEF) and Accenture anticipates that the threat landscape could be getting worse.

WEF’s and Accenture’s research found that 86% of business leaders and 93% of cyberleaders believe that global geopolitical instability is likely to lead to a catastrophic cyberevent in the next two years. 

In addition, the report found that geopolitical uncertainty was forcing organizations to adjust where they invest, with 49% of business leaders and cyberleaders claiming they would “re-evaluate the countries in which their organization does business” in response to geopolitical risk. 

On a more positive note, the study also found that organizations that embed cyber-risk into the decision-making process are more confident in their cyber-resilience and better able to recover from cyberattacks. 

Geopolitical conflict will provide an opportunity to start the conversation about risk 

While it remains to be seen whether these predictions of a catastrophic cyberattack will come to fruition, there have been a number of high-profile breaches over the past few years with enough momentum to be considered catastrophic.

One of the most notorious occurred in 2020. The SolarWinds supply chain attack resulted in the compromise of 100 companies and nine federal agencies. Likewise, in 2021, the Colonial Pipeline ransomware attack forced the organization to shut down 5,500 miles of pipelines. 

With the Russia-Ukraine war continuing, the report finds that geopolitical risk “is an entry point for the wider conversation between security leaders and business leaders on how cyberthreats are changing,” and how risk can impact business continuity planning.

Having that conversation is critical for mitigating the risk created by emerging cyberthreats. How those threats will manifest is up to debate, but John France, CISO of (ISC)2, argues ICS/OT compromise is the most likely avenue for a large cyberevent.

“I think we may see a significant event in the next year, and it will be one in the ICS/OT technologies space. Due to long life, lack of security by design (due in many cases to age) and difficulty to patch, in mission critical areas — an attack in this space would have immense effects that will be felt,” France said. 

“So I somewhat agree with the hypothesis of the report and the contributors to the survey. You could already argue that we have seen a moderate attack with UK Royal Mail, where ransomware stopped the sending of international parcels for a week or more,” France said. 

France argues that organizations can insulate themselves from these threats by putting more resources into defensive measures and by treating cybersecurity as a board issue. 

Key steps include Implementing responsive measures, providing employees with exercises on how to react, implementing recovery plans, planning for supply chain instability and looking for alternative vendors who can provide critical services in the event of a disruption. 

A gap between cyber-risk awareness and action 

Another key finding from the report is that in many organizations, there is a gap between awareness of cyberthreats and implementing the necessary actions to mitigate these risks. 

For instance, while 86% of business leaders believe there will be a catastrophic cyberevent in the next two years, and 43% believe an attack will affect their organization in the next two years, only 27% believe their organizations are cyber-resilient.

“This is like saying you are fairly certain water will flood your house and there will be significant damage, but you are pretty sure you are not prepared for it,” said Paolo Dal Sin, senior managing director, Accenture security lead. 

As a result, security leaders need to enhance internal communication with the board if they want to implement cyber-risk management into top-down decision making. One way to improve communication is to get better at translating risk into business outcomes.

“Business leaders know they have to do more to embed cyber-risk into decision-making because cyber-resilience equals business resilience. It requires a closely coordinated team effort across the C-suite to gain a clearer view of current and emerging risks so security can be embedded across all the strategic business priorities and protect the digital code,” Dal Sin said.

Retraining is the answer to the cyberskills gap

Finally, the report prescribes ways that organizations can work to fix the cyberskills gap. This comes down to better using generalists as well as specialists to secure the environment. 

“People think that cybersecurity is something that’s highly technical. Yes, some roles require deep technical expertise, but cybersecurity is a vast domain and making an organization cyber-resilient also requires generalist roles that need a broader skill set, from education and awareness to policy writing, governance and others. We need more people in both the technical and generalist roles,” said Bobby Ford, senior vice president and chief security officer, Hewlett Packard Enterprise.

Rather than competing for a small cross-section of highly qualified cybersecurity experts who are in high demand, organizations should look to help increase the flow of cybersecurity talent into the workforce by expanding the talent pool.

In practical terms, the report suggests “broadening the narrative about who can work in cybersecurity.” This means enabling and/or educating people with non-technical backgrounds, as well as those outside the education system and those from underrepresented groups — opening the door to retraining opportunities via learning on the job or through apprenticeships.