As heads of state and CEOs of the world’s largest companies were heading to the World Economic Forum’s annual meeting in Davos the UK’s Royal Mail was dealing with the fallout of a cyber attack: a crucial part of the UK’s critical infrastructure was suddenly left unable to send mail outside the British Isles.
A hacking group called LockBit took credit for the attack and boasted that it had also compromised some 40 organizations, from a private school in Malaysia to a dental group in Sydney,
Leaders attending the Forum were told to steel themselves for more and potentially worse attacks. The buzz word at Davos this year was “polycrisis” a catch term for the ongoing war in Ukraine, economic headwinds, food, and energy crises. The resulting geopolitical instability is exacerbating the risk of catastrophic cyberattacks, according to the Global Cybersecurity Outlook 2023 report, which was launched at the Forum’s annual meeting., which took place January 16 to 20. Over 93% of cybersecurity experts and 86% of business leaders believe “a far-reaching, catastrophic cyber event is likely in the next two years,” according to the report.
Breakdown of critical information infrastructure is a real risk because cyber attacks threaten every industry and act as a threat multiplier, Akshay Joshi, Head of Industry and Partnerships for the Forum’s Centre for Cybersecurity, said in an interview with The Innovator in Davos.
In the past few years ransomware attacks have shut down a gas pipeline and a major meat producer, Today such attacks would create even more disruption due to the strained environment caused by the energy and food crises.
Despite the ongoing threat, safety protocols lag far behind the escalating cost to the global economy caused by cyber attacks, which is predicted to rise from $8.44 trillion in 2022 to $23.84 trillion by 2027.
The State of the Connected World, another report released during the annual meeting, focused on vulnerabilities introduced by connected devices and called for action to improve individual security and protect small and medium-sized business, transit systems, utilities and everything that relies on connected devices.
The good news is that companies of all sizes are starting to take cybersecurity more seriously and the Forum is creating bridges between the public and private sectors to combat cyber crime, says Joshi. “Geopolitical instability has made companies more aware of cyber risks, so we are starting to see some good practices emerge as a consequence,” he says.
While last year 92% business leaders said cybersecurity was integrated into their enterprise risk management only 55% of cyber leaders agreed. This year the figures are 91% and 93%, proof that things are moving in the right direction, says Joshi.
During the annual meeting the Forum launched a project focused on the joint mapping of cyber crime, named the Cyber Crime ATLAS, a collaborative research project which gathers and collates information about the cyber criminal ecosystem and major threat actors. The objective is to facilitate cooperation between companies and law enforcement and create a shared knowledge base, with the objective of disrupting cyber crime and empowering legal authorities in investigations, take downs, prosecutions, and convictions.
It is important to build bridges between law enforcement and private sector companies in the preparation phase because “when companies have an incident it is not a good time to start exchanging business cards,” he says.
Attendees at the annual meeting included the director of the U.S.’s Federal Bureau of Investigation, the Secretary General of Interpol, and the head of Europol.
The Forum’s Centre for Cybersecurity includes 150 organizations, around 100 of them from the private sector ranging from large organizations across sectors to young, innovative cybersecurity companies such as SecurityScoreCard (see The Innovator’ Startup Of The Week article) and Dragos. Members also include the heads of national cybersecurity agencies universities and various cybersecurity alliances such as the Cyber Threat Alliance.
The center’s roadmap for 2023 includes helping the oil and gas sector to become more resilient by protecting its operational technology. And, during the annual meeting the Forum held a private meeting between the manufacturing sector and cybersecurity leaders to determine how to best create cyber resilience in that sector as “it is one of the most targeted sectors in the world,” Joshi said.
The Forum also plans to work this year with a group of eleven organizations to strengthen the electricity sector’s cyber resilience.
As part of its 2023 roadmap the Forum’s center will also look at the role of regulations in cybersecurity. “A lot of leaders have confidence in regulations and the role that they can play but it is equally important to make sure to apply these regulations in a way that is easy for business,” he says. One example is that the number of hours after a cyber incident that companies are required to report it differs from country to country, complicating life for multinationals.
Training cyber talent is also a top priority, says Joshi. Some 34% of cybersecurity experts said they lacked some skills in their team, with 14% saying they lacked critical skills. The problem is more pronounced in key sectors such as energy utilities, where nearly 25% of cybersecurity experts said they lacked the necessary critical skills to protect their organizations’ operations. Several successful cybersecurity skills programs are under way around the world, but many have difficulty scaling to large numbers. Greater cross-industry collaboration and public-private is needed to overcome this, says the Global Cybersecurity Outlook report, which was prepared in cooperation with Accenture.
For more news about the World Economic Forum’s annual meeting see our Key Takeaways From Davos story.