“The failure to understand and address risks related to technology, primarily the systemic cascading effects of cyber risks or the breakdown of critical information infrastructure, could have far-reaching consequences for national economies, economic sectors and global enterprises.” – World Economic Forum’s “The Global Risks Report 2016”
The World Economic Forum (WEF) published “The Global Risks Report 2016” on Jan. 14, 2016, a week before the annual iteration of its famed Davos conference, which begins today. Here are some of the key findings from the report as related to cyber risks and cyber resilience.
Cyber Risks Remain a Major Concern
The report provides ongoing evidence that cyber risks are top of mind for business leaders globally. This is not only evident in the number of countries that have selected cyber-related risks as one of their top concerns, but is also evident in the report’s phrasing of the cyber risk reality: “The internet has opened a new frontier in warfare: Everything is networked and anything networked can be hacked.”
One of the major findings of the report is that, for the U.S. market, the risk of cyberattacks was listed as the top risk. In accompanying press releases, the WEF indicated that the top risk for business leaders was cyberattacks in at least seven other countries, including Japan, Germany, Switzerland and Singapore.
Cyberattacks were also listed in the top five risks in 27 world economies. However, from a global risk perspective, cyberattacks are not featured on the top five global risks, whereas they were in fourth place in 2012 and in fifth place in 2014.
The report pointed to increasing dependency on cyber as an area of potential future risks: “Cases have been rising in both frequency and scale. They have so far been isolated, concerning mostly a single entity or country, but as the Internet of Things (IoT) leads to more connections between people and machines, cyber dependency — considered by survey respondents as the third most important global trend — will increase, raising the odds of a cyberattack with potential cascading effects across the cyber ecosystem. As a result, an entity’s risk is increasingly tied to that of other entities.”
IT’s Stature Is Increasing
The report warned that while organizations see the value that IT can bring, they “may not be fully internalizing cybersecurity risks and making the appropriate level of investment to enhance operational risk management and strengthen organizational resilience.” It further warned, “Every future conflict will have a cyber element, and some may be fought entirely in cyberspace.”
That prospect is daunting to those tasked with cybersecurity. “Given that attack is easier than defense in cyberspace, this will dramatically change how the entire security apparatus prepares for potential breaches. Physical distance no longer offers protection; many technologies are dual-use; much critical infrastructure is privately owned; and attacks are easy to disguise given the challenges of attribution.”
Finally, the report criticized the current state of ownership and collaboration around cyber risks within organizations. “Although CEOs worry about rising cyber risks, the ownership of and responsibility for the cyber risk is less clear,” the report stated. “Who in the corporation is the actual owner of the risk? While there are many C-level owners (CISO, CFO, CEO, CRO, Risk Management), each of these owners has differing but related interests and unfortunately often does not integrate risk or effectively collaborate on its management. Defining clear roles and responsibilities for cyber risk is crucial.”
The World Economic Forum Asks Companies to Get on Board
As far back as 2012, the WEF started an initiative to get business leaders thinking about and engaged with cyber resilience. In its “Partnering for Cyber Resilience” paper, the WEF defined cyber resilience as “the ability of systems and organizations to withstand cyber events, measured by the combination of mean time to failure and mean time to recovery.”
The paper also contained a five-stage maturity model for cyber resilience. Organizations are categorized as one of the following with regard to how they approach cyber risks:
- Unaware
- Fragmented
- Top down
- Pervasive
- Networked
The WEF asked executives to adopt four key principles in their efforts to address cyber risks. These were further detailed in a follow-up paper titled “Risk and Responsibility in a Hyperconnected World: Pathways to Global Cyber Resilience.” The four principles are:
- Recognition of interdependence: All parties have a role in fostering a resilient shared digital space.
- Role of leadership: Encourage executive-level awareness and leadership of cyber risk management.
- Integrated risk management: Develop a practical and effective implementation program.
- Promote uptake: Where appropriate, encourage suppliers and customers to develop a similar level of awareness and commitment.
In all, “The Global Risks Report 2016” provided business leaders with an unmistakable warning about the need to manage and govern cyber risks and start addressing organizations’ cyber resilience. At stake are the organization’s assets and reputation.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato