In a world where geopolitics and cyber mix, what CEOs and boards should be doing

Executive brief on Cyber Threats 2022: Year in Retrospect

The modern cybersecurity age has not only defenders on their toes but attackers, as well. The year 2022 was marked by a confluence of attack types and motives in the swirling eddy of sabotage, espionage, and hacktivism, motivated increasingly by geopolitics. 

Private enterprises and public organizations alike find themselves intertwined in a risk nexus of geopolitics, cybersecurity, and supply chains. CEOs who say they’re exposed to geopolitical risk are taking action. Nearly half say they’re investing more in cybersecurity or data privacy, making supply-chain adjustments for greater security, or re-thinking where they’ve located their business as political alliances rapidly shift.

PwC’s 2022 Year in Retrospect, the 6th annual report, reveals new and developing cyber threat trends. This detailed retrospective on actors, techniques and tools also points to the current year, advising what to look out for in 2023.

What do the findings mean for 2023? 

The 2022 Year in Retrospect covers several trends in detail. Here, we call out two that CEOs and boards should understand.

Cybercrime and nation-state motivations are converging

Competing for political, territorial, and economic ascendancy, some nation-states are using cybercrime tactics, techniques, and technologies. To these nations, economic security is national security. They intend to gain advantage by weakening rival governments’ institutions and economies, and stealing information and secrets. Other nation-states tolerate and even provide safe haven for cybercriminals because doing so aligns with their geopolitical interest.

Attacker governments’ pocketbooks and access to sophisticated threat actors can be formidable, perhaps beyond the resources of targeted companies. Companies should know that, increasingly, organized cybercrime groups and governments could act in concert.

To adjust to these significant shifts, defenders must change their course. Recognizing that their resources alone can’t match those of nation-state-funded attackers, they would do well to form partnerships with their own government agencies. 

Joint private-public information sharing and responses are dealing a one-two punch even to the most nefarious attackers, taking down major cybercrime actors and groups — an effective approach in 2022 that continues to gain momentum.

Ransomware will prevail as long as lucrative (and unprepared) targets exist

Money remains the primary motive as attackers break into systems and deploy ransomware to block victims’ access to their data. The cybercriminals use two levers of extortion: pay up to get your data unlocked and/or pay up or we release all your data on the internet. 

The number of ransomware attacks remains high, and the reason why is regrettable: many organizations haven’t taken basic steps to protect themselves. 

Cybercriminals know which enterprises are strong and which are weak. Companies with layered, defense-in-depth security including multi-factor authentication and zero-trust architectures aren’t nearly as likely to get hit: threat actors tend to go for the easy mark. They have plenty from which to choose, after all, as many businesses neglect even the cyber-hygiene basics.

Seven (non-rhetorical) questions for boardroom discussion

Boards want to know: What is our risk exposure to these developments? Which of our strategic and business initiatives increase this risk exposure? Do they push us beyond our risk appetite? Is management, including the CISO and the CIO, moving swiftly enough to mitigate the risks? 

We recommend that CISOs and other C-suite executives be prepared with answers to these questions:

Do we have our basics covered? Have we implemented defense-in-depth security — that is, do we have layers of defense so that if one mechanism fails, another steps up to thwart the attack? Does it include strong identity and access management, continuous monitoring, and zero trust? Is our remote desktop protocol internet-facing? If so, have we properly secured it?

Are we resilient? Do we thoroughly understand our critical dependencies? Have we mapped our systems? Do we back up our systems and data, and can we gain access to them quickly?

Have we tested our crisis management, disaster recovery, business continuity and disaster management plans? Do we have a designated executive empowered to lead these efforts organization-wide?

Have we anticipated the decisions we’ll need to make quickly in the event of an attack? Under what circumstances would we pay a ransom, if any? Do we have the information on potential damages — operational, financial, legal, reputational — to make a good decision? Is our process in line with our corporate values?

Have we tested our communication plan in the event of an attack? How do we inform the board and CEO? How and when would we communicate an attack within the organization and to our shareholders?

Do we have cyber insurance and is it adequate to cover our losses? What does it pay for? Does it cover ransom payments? How does it work? If we do not have cyber insurance, what is our plan to cover the cost?

Have we thought through potential new geopolitical conflicts? Do we view data protection, privacy, and cybersecurity rules in a larger context — for instance, that nations might be using them to improve their own economic competitiveness? When confronted with a proposed data protection law or economic sanctions, do we want to continue doing business in that market at our current level, or at all? Is it a risk worth taking? Do we want to reorganize our portfolio, shifting some of or all our focus to other markets? Are we concerned that our IP may be vulnerable? If so, how can we protect it?

Trust depends on the balance of advantage tilting towards defenders

Increasing their investments in cyberattack and cyber defense, both sides are continually sharpening their cyber teams, processes, and techniques, as the 2022 Year in Retrospect recounts in great detail. The good news is this: we defenders are no longer merely victims, but are now able to assert ourselves and gain the upper hand.

A must for businesses? Defense in depth coupled with real-time threat intelligence. Consumers, employees, and investors count on it; societal trust relies on it.

Follow us