“The failure to understand and address risks related to technology, primarily the systemic cascading effects of cyber risks or the breakdown of critical information infrastructure, could have far-reaching consequences for national economies, economic sectors and global enterprises.” – World Economic Forum’s “The Global Risks Report 2016”

The World Economic Forum (WEF) published “The Global Risks Report 2016” on Jan. 14, 2016, a week before the annual iteration of its famed Davos conference, which begins today. Here are some of the key findings from the report as related to cyber risks and cyber resilience.

Cyber Risks Remain a Major Concern

The report provides ongoing evidence that cyber risks are top of mind for business leaders globally. This is not only evident in the number of countries that have selected cyber-related risks as one of their top concerns, but is also evident in the report’s phrasing of the cyber risk reality: “The internet has opened a new frontier in warfare: Everything is networked and anything networked can be hacked.”

One of the major findings of the report is that, for the U.S. market, the risk of cyberattacks was listed as the top risk. In accompanying press releases, the WEF indicated that the top risk for business leaders was cyberattacks in at least seven other countries, including Japan, Germany, Switzerland and Singapore.

Cyberattacks were also listed in the top five risks in 27 world economies. However, from a global risk perspective, cyberattacks are not featured on the top five global risks, whereas they were in fourth place in 2012 and in fifth place in 2014.

The report pointed to increasing dependency on cyber as an area of potential future risks: “Cases have been rising in both frequency and scale. They have so far been isolated, concerning mostly a single entity or country, but as the Internet of Things (IoT) leads to more connections between people and machines, cyber dependency — considered by survey respondents as the third most important global trend — will increase, raising the odds of a cyberattack with potential cascading effects across the cyber ecosystem. As a result, an entity’s risk is increasingly tied to that of other entities.”

IT’s Stature Is Increasing

The report warned that while organizations see the value that IT can bring, they “may not be fully internalizing cybersecurity risks and making the appropriate level of investment to enhance operational risk management and strengthen organizational resilience.” It further warned, “Every future conflict will have a cyber element, and some may be fought entirely in cyberspace.”

That prospect is daunting to those tasked with cybersecurity. “Given that attack is easier than defense in cyberspace, this will dramatically change how the entire security apparatus prepares for potential breaches. Physical distance no longer offers protection; many technologies are dual-use; much critical infrastructure is privately owned; and attacks are easy to disguise given the challenges of attribution.”

Finally, the report criticized the current state of ownership and collaboration around cyber risks within organizations. “Although CEOs worry about rising cyber risks, the ownership of and responsibility for the cyber risk is less clear,” the report stated. “Who in the corporation is the actual owner of the risk? While there are many C-level owners (CISO, CFO, CEO, CRO, Risk Management), each of these owners has differing but related interests and unfortunately often does not integrate risk or effectively collaborate on its management. Defining clear roles and responsibilities for cyber risk is crucial.”

The World Economic Forum Asks Companies to Get on Board

As far back as 2012, the WEF started an initiative to get business leaders thinking about and engaged with cyber resilience. In its “Partnering for Cyber Resilience” paper, the WEF defined cyber resilience as “the ability of systems and organizations to withstand cyber events, measured by the combination of mean time to failure and mean time to recovery.”

The paper also contained a five-stage maturity model for cyber resilience. Organizations are categorized as one of the following with regard to how they approach cyber risks:

  1. Unaware
  2. Fragmented
  3. Top down
  4. Pervasive
  5. Networked

The WEF asked executives to adopt four key principles in their efforts to address cyber risks. These were further detailed in a follow-up paper titled “Risk and Responsibility in a Hyperconnected World: Pathways to Global Cyber Resilience.” The four principles are:

  1. Recognition of interdependence: All parties have a role in fostering a resilient shared digital space.
  2. Role of leadership: Encourage executive-level awareness and leadership of cyber risk management.
  3. Integrated risk management: Develop a practical and effective implementation program.
  4. Promote uptake: Where appropriate, encourage suppliers and customers to develop a similar level of awareness and commitment.

In all, “The Global Risks Report 2016” provided business leaders with an unmistakable warning about the need to manage and govern cyber risks and start addressing organizations’ cyber resilience. At stake are the organization’s assets and reputation.

More from Risk Management

Did Brazil DSL Modem Attacks Change Device Security?

From 2011 to 2012, millions of Internet users in Brazil fell victim to a massive attack against vulnerable DSL modems. By configuring the modems remotely, attackers could redirect users to malicious domain name system (DNS) servers. Victims trying to visit popular websites (Google, Facebook) were instead directed to imposter sites. These rogue sites then installed malware on victims' computers. According to a report from Kaspersky Lab Expert Fabio Assolini citing statistics from Brazil's Computer Emergency Response Team, the attack ultimately…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Worms of Wisdom: How WannaCry Shapes Cybersecurity Today

WannaCry wasn't a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry "ransomworm" hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide. While the discovery of a "kill switch" in the code blunted the spread of the attack and newly…

Why Operational Technology Security Cannot Be Avoided

Operational technology (OT) includes any hardware and software that directly monitors and controls industrial equipment and all its assets, processes and events to detect or initiate a change. Yet despite occupying a critical role in a large number of essential industries, OT security is also uniquely vulnerable to attack. From power grids to nuclear plants, attacks on OT systems have caused devastating work interruptions and physical damage in industries across the globe. In fact, cyberattacks with OT targets have substantially…