How to Be Prepared in the Age of Cyber Insecurity

No one needs to be convinced that we are living in a rapidly changing world, in which, as the Global Risks Report (GRR) puts it, “concurrent shocks, deeply interconnected risks and eroding resilience are giving rise to the risk of polycrises — where disparate crises interact such that the overall impact far exceeds the sum of each part.”

Along those lines, the WEF asked the GRR interviewees to rank the top five currently manifesting risks in order of how severe they believe their impact will be on a global level in 2023. The respondents placed cyberattacks on critical infrastructure in the fifth position (after energy supply, cost of living, rising inflation, and food supply).

Further, the GRR ranked global risks by severity over the short term (2 years) and long term (10 years). In the 2023 edition, widespread cybercrime and cyber insecurity was a new entrant to the top rankings and was ranked eighth in both the short-term and long-term lists.

This means that business leaders are aware of the severity and burden of cyber risk. On one hand, the leaders’ awareness is a good signal; on the other hand, the presence of the risk of widespread cybercrime and cyber insecurity in the same high position (8/32) in the long-term rankings (the 10-year perspective) — along with other technological, societal, and geopolitical risks — expressly indicates that it is not easy to eradicate cybercrimes, or even reduce their scale, and addressing them demands time and a planned multilateral approach. 

Now, let’s focus on that new word that appears in the report: cyber insecurity. In their book “The Definitive Guide to Thriving on Disruption,” Roger Spitz and Lidia Zuin define cyber insecurity as “the constant and growing cybersecurity threat as a consequence of the world and our existence being entirely digitized.” The more we live, work, and maintain relationships in a digitized manner, the more we’ll experience the consequences. 

Table: A condensed overview of technological risks (in bold) and other risks associated with technology 

In the short term, technological risks appear near (and at) the bottom of the rankings. Digital power concentration, digital inequality and lack of access to digital services, and adverse outcomes of frontier technologies rank as three of the last four risks for the next 2 years (29, 31, and 32 out of 32). And breakdown of critical information infrastructure ranks just a bit higher (24/32). 

But when we look at a 10-year perspective, the situation changes dramatically. Risk experts predict a tremendous jump in digital power concentration, breakdown of critical information infrastructure, and adverse outcomes of frontier technologies (up from 29, 31, and 32 to 16, 17, and 18, respectively). 

When we add those to the high position of widespread cybercrime and cyber insecurity (8), we can see that experts believe that technological risks will play a more and more significant role in the threat landscape as time goes by. This is likely due to the ubiquitous digitalization of our lives, which creates the state of cyber insecurity addressed above.

Only digital inequality and lack of access to digital services lingers near the bottom (30/32) in the 10-year horizon, which I find very puzzling.

Taking a closer look at the technological-adjacent risks in the long-term top 32 can also help us devise strategies on how we can prepare for these approaching demanding times. 

Lauren Van Wazer, Vice President of Global Public Policy and Regulatory Affairs at Akamai, writes that “in the next decade, we’ll see more technological progress than in the past 100 years,” thereby supporting the results of the GRR survey and its 10-year perspective. She drives our attention to the rapid acceleration of technology and the attendant increase in cyber risks that will result from that. 

In fact, one of the key findings from the recent WEF Global Cybersecurity Outlook (GCO) 2023  is that leaders struggle to balance the value of new technology with the potential for increased cyber risk in their organizations.

The GRR states that research and development into emerging technologies will continue over the next decade, supported by state aid and military expenditures as well as by private investment. Outcomes will likely yield tremendous advancements in artificial intelligence (AI), quantum computing, biotechnology, and other technologies. 

But cutting-edge technology can deepen inequalities among rich and poor countries, as well as introduce risks for all economies — from widening misinformation, disinformation, and malinformation to unmanageably rapid churn in both blue- and white-collar jobs. 

Dr. Robert Blumofe, Chief Technology Officer and Executive Vice President at Akamai, sketched out the following scenario: The increasing role of systems like ChatGPT with access to any writings (emails, social media postings, articles, etc.) by a member/employee/friend of an organization can enable those systems to write a phishing email/SMS that sounds more convincing than ever. 

The technology that is so praised by many users nowadays presents a huge opportunity for phishing and other malicious actions. Privacy could also be endangered by such surveillance systems. 

As Dr. Blumofe stated in SecurityOpenLab’s Cybersecurity Forecasts for 2023, “Advances in the field of artificial intelligence will lead to a sort of ‘frenzy’ for phishing … continued advances in AI, such as those seen in systems like GPT-3, will make spear phishing more persuasive, scalable, and widespread. Such systems will be able to compose millions of email messages or SMS, each customized for a single recipient and with credible ‘human’ characteristics."

How many times have you seen an appeal on the internet that asks, “When will you start using ChatGPT to boost your career?” Be warned: Cybercriminals have already started. 

Respondents to the GCO 2023 survey said that the following technologies will have the greatest influence on their cyber risk strategies over the next two years: 

1. AI and machine learning (20%) 

2. Greater adoption of cloud technology (19%)

3. Advances in user identity and access management (15%) 

A similar key finding of the GCO 2023 is that a key challenge for managing cyber resilience remains talent recruitment and retention. Interviewees see great possibilities in expanding and promoting inclusion and diversity efforts as a solution to increase the supply of cyber professionals. The GCO report emphasizes that “understanding the broad spectrum of skills needed to be cyber resilient in the current cyber landscape can help enable organizations to expand their hiring pools.”

In her blog post, Lauren Van Wazer also discusses regulatory issues that should be considered for 2023. She evokes such new U.S. regulations as the U.S. Securities and Exchange Commission’s Cyber Incident Reporting for Critical Infrastructure Act of 2022, which (among other things) drew up the rules for cyber incident reporting.

These regulatory issues appear on both sides of the Atlantic. In the European Union, we have already published and enacted the Digital Operational Resilience Act (DORA), which provides cybersecurity requirements for the financial sector. There’s also the NIS2 Directive, published in December 2022, which also imposes numerous obligations on the operators of essential services, including cyber incident reporting. 

We can see increased activity of regulatory bodies as a response to increasing activity of threat actors. But how do we do this properly so that entrepreneurs are not suffocated by these regulations? So that, in addition to the day-to-day running of their businesses, they actually want to (and know how to) effectively keep their organizations secure, rather than aim primarily to demonstrate compliance during the audit?

According to the GCO 2023, leaders look at regulations increasingly favorably compared with the 2022 survey. Today, cyber leaders are more keen to treat data protection laws and cybersecurity regulations as effective tools for reducing cyber risks across whole sectors. They are aware of all the challenges required by compliance, but still acknowledge regulations as much-needed triggers for action on cybersecurity. 

However, Van Wazer correctly raises the issue that the government needs to take a holistic approach to harmonize growing cyber regulations within the United States, and then seek global harmonization; even well-meaning regulations may unintentionally overcomplicate cyber defenses, hinder incident response and mitigation, or inhibit technological advances. 

According to Forbes, 2022 cyberattack statistics show that ransomware alone has cost the world approximately US$20 billion. Experts estimate that this amount will hit US$265 billion by 2031.

This changing landscape is also reflected in the GCO 2023. Experts surveyed by the WEF confirmed that the threat landscape has become increasingly volatile, and professional cybercriminal groups have continued to expand and create a higher volume of new attack types.

One example is the enormous growth of popularity of ransomware as a service. And the cybercriminal groups that provide such services are some of today’s biggest threat actors.

The WEF states that the nature of cyberthreats has also changed: Current cyberattackers are more likely to focus on business disruption and reputational damage.

“The ever-increasing intertwining of technologies with the critical functioning of societies is exposing populations to direct domestic threats,” say the authors of the GRR, “including those that seek to shatter societal functioning.”

They predict that attempts to disrupt critical technology-enabled resources and services will become more common. And we will witness more attacks on agriculture and water, financial systems, public security, transport, energy, and communication infrastructures (both space-based and undersea).

According to the GCO, 86% of business leaders and 93% of cyber leaders believe global geopolitical instability is moderately or very likely to lead to a catastrophic cyber event in the next two years.

It sounds appalling. So, which (prevention) solution is the best? 

The WEF interviewees suggest that proper organizational structure may be the answer: “Organizations [that] embed cyber-risk management across multiple parts of their activities, such as risk management, business continuity planning, finance, product development etc., find it easier to create the space needed to develop strategic responses to changes in the threat environment in order to better protect their assets and make their organization more resilient to cyberattacks when they occur.”