The modern cybersecurity age has not only defenders on their toes but attackers, as well. The year 2022 was marked by a confluence of attack types and motives in the swirling eddy of sabotage, espionage, and hacktivism, motivated increasingly by geopolitics.
Private enterprises and public organizations alike find themselves intertwined in a risk nexus of geopolitics, cybersecurity, and supply chains. CEOs who say they’re exposed to geopolitical risk are taking action. Nearly half say they’re investing more in cybersecurity or data privacy, making supply-chain adjustments for greater security, or re-thinking where they’ve located their business as political alliances rapidly shift.
PwC’s 2022 Year in Retrospect, the 6th annual report, reveals new and developing cyber threat trends. This detailed retrospective on actors, techniques and tools also points to the current year, advising what to look out for in 2023.
The 2022 Year in Retrospect covers several trends in detail. Here, we call out two that CEOs and boards should understand.
Boards want to know: What is our risk exposure to these developments? Which of our strategic and business initiatives increase this risk exposure? Do they push us beyond our risk appetite? Is management, including the CISO and the CIO, moving swiftly enough to mitigate the risks?
We recommend that CISOs and other C-suite executives be prepared with answers to these questions:
Do we have our basics covered? Have we implemented defense-in-depth security — that is, do we have layers of defense so that if one mechanism fails, another steps up to thwart the attack? Does it include strong identity and access management, continuous monitoring, and zero trust? Is our remote desktop protocol internet-facing? If so, have we properly secured it?
Are we resilient? Do we thoroughly understand our critical dependencies? Have we mapped our systems? Do we back up our systems and data, and can we gain access to them quickly?
Have we tested our crisis management, disaster recovery, business continuity and disaster management plans? Do we have a designated executive empowered to lead these efforts organization-wide?
Have we anticipated the decisions we’ll need to make quickly in the event of an attack? Under what circumstances would we pay a ransom, if any? Do we have the information on potential damages — operational, financial, legal, reputational — to make a good decision? Is our process in line with our corporate values?
Have we tested our communication plan in the event of an attack? How do we inform the board and CEO? How and when would we communicate an attack within the organization and to our shareholders?
Do we have cyber insurance and is it adequate to cover our losses? What does it pay for? Does it cover ransom payments? How does it work? If we do not have cyber insurance, what is our plan to cover the cost?
Have we thought through potential new geopolitical conflicts? Do we view data protection, privacy, and cybersecurity rules in a larger context — for instance, that nations might be using them to improve their own economic competitiveness? When confronted with a proposed data protection law or economic sanctions, do we want to continue doing business in that market at our current level, or at all? Is it a risk worth taking? Do we want to reorganize our portfolio, shifting some of or all our focus to other markets? Are we concerned that our IP may be vulnerable? If so, how can we protect it?
Increasing their investments in cyberattack and cyber defense, both sides are continually sharpening their cyber teams, processes, and techniques, as the 2022 Year in Retrospect recounts in great detail. The good news is this: we defenders are no longer merely victims, but are now able to assert ourselves and gain the upper hand.
A must for businesses? Defense in depth coupled with real-time threat intelligence. Consumers, employees, and investors count on it; societal trust relies on it.