Blog
Analysis: Cybersecurity Managers Fear ‘Catastrophic’ Cyber Event Now Likely Within Two Years
In a fully digital world, organizations are no longer isolated islands. It seems the profession is finally coming to terms with the dark possibilities.
What’s the worst thing a bad cyberattack could do to an organization?
Five years ago, most business managers would have cited business disruption, reputational damage, or regulatory fines as their top worries.
Now interviews with business managers and cybersecurity professionals by the World Economic Forum (WEF) have revealed that managers worry about something far worse – the near-term possibility of a catastrophic cyber-event beyond their control.
According to the Global Cybersecurity Outlook 2023 , 93% or cybersecurity professionals and 86% of business leaders they spoke to believed geopolitical instability means that a major cyber incident was now moderately or very likely to occur within two years.
Almost three quarters said the issue had caused them to change the way their organization interacted with third parties in terms of data access, with around half saying they’d reevaluated doing business with some countries. As one respondent told the report’s authors:
“We have needed to spend time and resources on understanding how the threat landscape has changed, whether the difference in the attacker’s motivation makes us more likely to be targeted, what will be attacked and how it might be attacked.”
Threats were now evolving so fast that this organization had shortened its planning timescales to three months rather than working up to a year ahead as in the past.
Managers now worry about third parties more than in the past, with 61% of cybersecurity managers and 54% of business managers rating the cyber-resilience of partners lower than their own.
Risk perception
On a related theme, the report found that regulation is increasingly seen in a positive light, with 73% of business leaders and cybersecurity managers agreeing that cyber-privacy laws reduced their risk.
This is a significant change from the 2022 report where more than half of respondents were against the idea.
Equally, regulation is ineffective without enforcement, which 76% of business leaders thought would benefit everyone by encouraging investment in cyber resilience. Put another way, if organizations fear enforcement, they will be more likely to take cybersecurity best practice seriously.
“They believe properly enforced regulations will raise the quality of cybersecurity across their sector and their supply chains, which will in turn make their business less prone to collateral damage from attacks on other organizations.”
Fear of the other
It’s clear from the WEF report that the possibility of a major systemic cyber-event is now on the minds of many people whose job it is to anticipate these events. The question is what, if anything, they can do about it.
Digitalization is about increasing connectivity and automation, but both of those bring with them greater risk. Supply chains are increasingly defined by software connectivity covering everything from third-party remote management outsourcing to exposed APIs and data sharing. There is no obvious way back from this.
One sign of progress is that the report found signs of a new consensus between business managers and cybersecurity professionals across a range of issues.
“Both groups have a clearer view of the strengths and weaknesses of their organizations’ cyber capabilities, and cyber issues are more integrated into enterprise risk management and now receive more board-level support,” noted the report.