4 ways to incorporate cyber resilience in your business

This article is brought to you thanks to the collaboration of The European Sting with the World Economic Forum.

Author: Joe Nocera, Cyber and Privacy Innovation Institute Leader, PwC US

• Cybersecurity is a major concern for all organizations and collaboration is key to effectively tackle this threat.
• A report on Cyber Governance by the World Economic Forum, PwC, the National Association of Corporate Directors, and the Internet Security Alliance looks at how board directors can manage cyber risks.
• Here we explore how companies can accomplish cyber resilience through collaboration.

One goal, one team.

Effective cybersecurity has become a shared responsibility that demands teamwork and an unwavering commitment to internal and external collaboration.

Today, threat actors are targeting organizations and entire industries with increasingly effective cyberattacks. Cybersecurity failure has become a leading threat, according to the World Economic Forum’s Global Risk Report 2022. Businesses agree: 70% of board directors view cybersecurity as a strategic enterprise risk, according to a survey conducted by the National Association of Corporate Directors (NACD).

The ascendant trajectory of cybercrime shows no sign of decline.In fact, 60%of executives forecast that cybercrime will continue to surge in 2022. In particular, respondents expect more attacks on cloud services, ransomware intrusions, and compromises of critical infrastructure. Threat actors are also exploiting dangerous new software vulnerabilities such as the Log4j flaw, which can enable them to remotely execute code on systems and networks. There is also growing unease that geopolitical conflict will likely result in further cyberattacks on critical infrastructure.

In a report published by the World Economic Forum, PwC, the NACD, and the Internet Security Alliance (ISA), we identified six principles that can support board directors in governing cyber-risks:

• Cybersecurity is a strategic business enabler
• Understand the economic drivers and impact of cyber-risk
• Align cyber-risk management with business needs
• Ensure organizational design supports cybersecurity
• Incorporate cybersecurity expertise into board governance
• Encourage systemic resilience and collaboration

In this article, we dive into the sixth principle: encourage systemic resilience and collaboration. Systemic risks require systemic resilience. This requires a decisive dedication to collective effort — and a great deal of individual resilience.

The good news? There are “power moves” you can incorporate to start building resilience in your organization.

Become a cybersecurity team player

Effective cybersecurity comes from the top. The CEO, board, and other senior leaders should champion a cybersecurity culture that fosters collaboration across the company, the industry and with public and private stakeholders.

Creating a culture of security will require everyone’s involvement — the board, C-suite, chief information security officers (CISOs), line of business leaders, and individual employees. You will also need to partner with supply chains, contractors, and other third parties.

Discover

What is the World Economic Forum doing on cybersecurity?

The World Economic Forum’s Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. The centre is an independent and impartial platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors.

Since its launch, the centre has driven impact throughout the cybersecurity ecosystem:

• Training a new generation of cybersecurity experts
  Salesforce, Fortinet and the Global Cyber Alliance, in partnership with the Forum, are delivering free and globally accessible training through the Cybersecurity Learning Hub.
• Building a global response to cybersecurity risks
  The Forum, in collaboration with the University of Oxford – Oxford Martin School, Palo Alto Networks, Mastercard, KPMG, Europol, European Network and Information Security Agency, and the US National Institute of Standards and Technology, is identifying future global risks from next-generation technology.
• Improving cybersecurity in the aviation industry
  Through the Cyber Resilience in the Aviation Industry initiative, the centre has been improving cyber resilience in aviation in collaboration with Deloitte and more than 50 other companies and international organizations.
• Making the global electricity ecosystem more cyber resilient
  The centre and the Platform for Shaping the Future of Energy, Materials and Infrastructure have been bringing together leaders from more than 50 businesses, governments, civil society and academia to develop a clear and coherent cybersecurity vision for the electricity industry.
• The Council on the Connected World agreed on IoT security requirements for consumer-facing devices to protect them from cybers threats, calling on the world’s biggest manufacturers and vendors to take action for better IoT security.
• The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace, which aims to ensure global digital peace and security.

Contact us for more information on how to get involved.

Given the complexity and stealth of today’s cyber threats, it is likely that boards will need a bit of cybersecurity tutoring. CISOs may need to step in to help senior executives understand threats, potential business impacts and the specific role each executive can play in keeping the company secure.

Awareness doesn’t stop at the C-suite, however. Cybersecurity education should cascade down to every employee and include training, upskilling, and career advancement opportunities.

Educating the board has become urgent thanks to new regulations requiring cyber disclosures. In the US, for example, the Securities and Exchange Commission (SEC) has proposed rules for disclosing material cyber incidents and practices in cyber governance, strategy, and risk management.

The rules may require public companies to disclose details of the board of directors’ oversight of cybersecurity risk and cybersecurity expertise – if any. Disclosures include the processes by which the board is informed about cybersecurity risks and the frequency of its discussions on this topic. A new law requires entities in critical infrastructures to report significant cyber breaches to the Cybersecurity and Infrastructure Security Agency (CISA).

How to make the move

• Allocate more time to security discussions in board or subcommittee meetings
• Provide training for board members to become more cyber-savvy
• Use business language to frame discussions of cyberthreats
• Create plans for effective collaboration
• Confirm performance measures for cybersecurity are aligned for all business executives and not just the CISO

Conduct tabletop exercises and update Business Impact Analysis (BIA)

Security training for employees is essential. But resilience calls for more.

Tabletop exercises, which use simulated attacks to illustrate threat response and decision-making processes, can be an effective way for board members to practice the decision-making required in a cyber crisis. Tabletop exercises can prepare business leaders to confidently — and quickly — take appropriate action when real threats are detected. They can illuminate gaps or weaknesses in current response plans.

Similarly, a business impact analysis (BIA) can help organizations develop more targeted and effective strategies for incident response and business continuity. BIAs prioritize business systems, processes, and interdependencies to focus defence, response, and recovery strategies on the issues that matter most to the business.

How to make the move

• Revisit and update the company’s BIA annually or whenever a major business change occurs
• Leverage the BIA to inform Cyber Resiliency Planning
• Conduct tabletop exercises throughout the year at different levels of the organization (technical, business, C-suite and boards) using different threat scenarios
• Consider including critical third parties like outside counsel and law enforcement in some tabletops

Build relationships with info-sharing groups, law enforcement, and government agencies

If cybercriminals share information on attack techniques and tools — and they do — then why shouldn’t you? Sharing intelligence about cyber threats and responses may be critical to staying ahead of cybercriminals. Companies cannot, single handedly, defend themselves against attacks by powerful hackers.

Critical infrastructure providers, for example, require proactive cooperation and collaboration among governments, cybersecurity groups, industry peers, and organizations to combat geopolitical and nation-state threats.

The practice of cyber-related information-sharing is growing around the world. Today, 84% of global organizations say they participate in public-private information-sharing. Organizations fostering such a culture include the World Economic Forum Centre for Cybersecurity, Interpol, the US CISA, the UK National Cyber Security Centre, and the Open Data Center, where there is global collaboration of over 1,500 governments and organizations.

You should build robust relationships with local, national and global government and law enforcement agencies to promote intelligence sharing. In addition, companies can build ties with nonprofit cybersecurity organizations such as Information Sharing and Analysis Centers (ISACs), some of which offer 24/7 threat warnings, incident reporting capabilities, and networking opportunities.

Sharing requires trust. Organizations are often reluctant to disclose incidents and responses to industry peers and government entities. To create a collective consciousness of cybersecurity, attitudes must change. While private-public collaboration is commonplace — 45% of organizations do so — there is often a reluctance to divulge breached information. That mindset must change.

How to make the move

• Use all available resources, including government agencies, to identify potential threats
• Participate in collaborative groups such as the European Union Agency for Network and Information Security (ENISA), Information Systems Security Association (ISSA International), the Cloud Security Alliance, the Internet Security Alliance, and WiCyS Women in Cybersecurity
• Join information-sharing groups such as the Information Security Forum, the Anti-Phishing Working Group, and ISACs
• Critical infrastructure providers can join organizations such as the European Programme for Critical Infrastructure protection, the Task Force on Critical Infrastructure Protection, and the DHS Cyber Information Sharing and Collaboration Program (CISCP)
• Proactively build relationships with law enforcement and government agencies prior to a breach occurring

Discover

How is the World Economic Forum contributing to a more efficient, resilient, inclusive and equitable financial system?

The World Economic Forum’s Platform for Shaping the Future of Financial and Monetary Systems brings together leaders from the banking sector, the insurance industry and fintechs with regulators and governments to work on five areas: Sustainable Finance and Investments; Technology and Innovation; Risk and Resilience; Leadership and Governance; China’s Financial Transformation.

• The Forum’s Living, Learning and Earning Longer initiative is building multi-generational workforces and giving older workers greater opportunities to work. By collaborating through a unique digital platform that employers can use to find case studies, statistics and research on the advantages of a multi-generational workforce, this could raise GDP per capita by 19% over the next three decades.
• Illicit proceeds from criminal activity are estimated to account for 2%-5% of global GDP (about $2 trillion). Our Global Coalition to Fight Financial Crime brings together over 100 organizations to raise awareness of how financial laws are violated. Working with financial and non-financial sectors, the coalition recognizes and promotes the importance of emerging technologies and drives change by helping financial institutions.
• Experts from Zurich Insurance predict that by 2030 cybersecurity costs will reach $1.2 trillion. We have brought together a group of fintechs, financial institutions and regulators to strengthen cybersecurity in financial services. The Cybersecurity Consortium works to ensure global regulatory requirements are synchronized and the security of the financial services supply chain is enhanced.

• For the private sector to drive progress towards achieving the UN Sustainable Development Goals, a common system of non-financial measurement is essential. To promote alignment among existing ESG frameworks, the Forum worked with partners to draw on existing frameworks and identified a set of universal disclosures – the Stakeholder Capitalism Metrics. During 2021, the Forum announced that over 50 companies have started to incorporate these ESG reporting metrics in their annual reports and sustainability reports.
• The Forum has developed knowledge products to advise stakeholders on technology-driven systemic risks and the continued need for innovation. By exploring the relationship between increased technology adoption in financial services and systemic risk, the research examines how businesses can act to address identified risks, including the role that technology itself can play in mitigation approaches.

Contact us for more information on how to get involved.

Collaborate on collective cybersecurity

In today’s hyper-connected digital world, cybersecurity is no longer the responsibility of a singular organization or single executive.

Cybersecurity is the ultimate team sport and it is crucial for businesses, industries, and governments to unite to defend against global threat actors.