Miri Marciano of BCG explains why organisations must sharpen their cybersecurity strategy in the face of increasing geopolitical tensions
Cyber wars are no longer the realm of science fiction. In today’s digital world – as we’ve seen since Russia’s invasion of Ukraine – coordinated cyber-attacks are a focal part of the offensive, which is only made murkier by the fact they’re often waged by proxies.
On top of this, attacks are growing more frequent, diverse and devastating, with targets more varied and motivations more far-reaching. In turn, we have seen cyber warfare evolve from strategic assaults on nations, to cynical strikes on organisations and critical infrastructure – only serving to weaken society.
Either way, what’s clear is that organisations of all types and sizes are potential targets in this high stakes board game. But many are currently unprepared or unable to protect themselves as they haven’t truly internalised the need to harden their defences in this more hostile, uncertain and secretive world. Ultimately, this requires a drastic shift in mindset to increase cyber resilience. But is your organisation prepared? In this article I explore the impact of today’s volatile geopolitical landscape on cybersecurity – and how you can embed crisis management readiness into your organisation.
"Organisations must always be on guard"
The impact of geopolitical cyber attacks on companies
Cybersecurity and geopolitics have become inextricably intertwined. Only cyber warfare doesn’t have geographical boundaries in the same way that physical conflict does, facilitating a battlefield where every company is a potential target. Even small and medium-sized service providers, such as regional hospitals have been victims of cyber-attacks in recent years, with hackers increasingly looking to infect open-source software that’s widely used by organisations of all sizes.
This was the case in December 2021 when a virus infected a popular open-source tool, Log4j, that tracks computer activity. Bad actors quickly began using the tool to take control of or infect computer systems, launching “one of the most serious vulnerabilities I have seen” according to one senior US cybersecurity official.
Beyond every company now being a target, they must also prepare for cyber attacks with different
motivations. On any given day, organisations can be fending off attacks designed to harm or inconvenience civilians or sow discord – with assaults on websites and public services, along with the distribution of fake news, all commonly deployed tactics used by bad actors.
Perhaps more worrying, however, is the increasingly advanced weapons now at their disposal. Organisations must always be on guard as the tools of the hacking trade are becoming ever more sophisticated and widely available. In a spiralling arms race, nations and non-state actors alike are developing more powerful weapons, which in turn encourages the development of stronger cyber shields, which further encourages the development of even stronger weapons, and so on.
Risk and crisis management readiness
The days of treating cybersecurity as an afterthought are long gone. Companies need to see cyber risk as an existential business threat, and they need a full suite of capabilities to keep attacks at bay. This is then delivered through two primary activities: identifying and mitigating risks, and ensuring they’re ready if a breach occurs. Part and parcel of this requires cyber risk to enter the C-suite. Too many organisations continue to assign all of the responsibility to the IT department. But unless the topic of cybersecurity is in the boardroom, it will remain siloed from business and strategy – rather than being tightly integrated with them.
Equally as important is quantifying the cyber risk exposure. Cyber risk is inherently unpredictable and all but the luckiest of businesses will come under attack. So, as with other risks, organisations should quantify their exposure and anticipate the costs and resources required to combat them. This should also be ongoing and dynamic to keep up with changing cyber risks.
In the risk assessment process, it’s also imperative to plan for various threat scenarios. Organisations should evaluate threat scenarios in which the attacker is a nation-state or the hacks are motivated by geopolitics. These scenarios need to also be incorporated into the final decision-making process on cybersecurity investments.
"It's also imperative to plan for various threat scenarios"
In geopolitical attacks, actors are also often scanning the landscape for the weakest target. So, it nearly always pays to be better than others. If the goal is to wreak havoc, bad actors may be less concerned with who they attack, so a business with stronger capabilities than its peers – even if it’s not best-in class – might avoid being compromised.
Managing supply chain risks is also of the utmost importance. Supply chains will always be a prime target of geopolitical attacks because the right, successful hacks can bring down an entire sector. Historically, the objective of a supply chain attack has been espionage or disruption. But regardless, these strikes are always sophisticated and resourceful.
How to be ready when an attack occurs?
In today’s volatile world, prevention isn’t always possible. Eventually, most organisations will suffer an attack. However, the effectiveness of their response will hinge on pragmatism, preparedness and resilience. So, companies should have four types of plans to combat an attack:
- Incident Response – the steps to prepare for, detect, contain and recover from an attack.
- Business Continuity – a plan for how to keep operating while recovering from an attack.
- Disaster Recovery – a step-by-step guide for returning to a pre-attack state.
- Crisis Management – an outline of the legal, regulatory, financial and communication activities and decision rights required to manage through the crisis.
On top of this, organisations should establish ongoing dialogue with the leading national agencies and authorities that can provide invaluable assistance. Being a good neighbour is also key to readiness. If a company is hacked and the attack is spreading, the organisation can help others to minimise their exposure by sharing indicators of compromise. Perhaps the best way to be ready, however, is to practice. Like buildings routinely run fire drills, businesses should conduct similar tabletop exercises so that every employee understands what might happen in a cyber-attack – and their role in addressing it.
The more comprehensive and tested the plan, the better the organisation’s response to an incident will be – and these exercises will pay dividends in the real world. After all, you don’t want to be trying to find the exits for the first time during a real fire.
ABOUT THE AUTHOR
Miri Marciano is Associate Director and cybersecurity expert at BCG.