5 ways to increase cyber resilience against increasingly diverse threats

During 2023, the cybersecurity economy grew four times as fast as its global counterpart and outpaced growth in the tech sector. Signalling a rapid rise in innovation, the situation suggests a wealth of growing opportunities within the sector. However, with opportunities come risks. It is no surprise that cyber insecurity continues to feature prominently among the top risks in the 2024 edition of the World Economic Forum’s Global Risks Report 2024, both over the two- and ten-year time horizon.

As the scale and diversity of threats increases, resilience is paramount, and as the new World Economic Forum’s Global Cybersecurity Outlook 2024 reveals, few organisations are sufficiently robust to confidently call themselves cyber resilient. Furthermore, as the risks and technology that both create and combat cyber threats increase, a yawning gap is growing between the well-resourced and skilled large organisations and their small and medium-sized enterprise (SME) counterparts.

Fortunately, there are several ways that businesses can improve their cyber resilience, and if addressed systemically, these will result in a far stronger cyber ecosystem.

The state of the sector’s health paints a mixed picture, with long-standing threats, such as malware, continuing to develop, alongside new and increasingly diverse risks. The report offers a sobering reminder of this, revealing that in the past five years, the number of malware families and their variants that have infiltrated at least 10 per cent of global organisations has doubled. This, coupled with growing inequity in terms of cyber resilience, driven by the high cost of the necessary tools and talent, and the early adoption of cutting-edge technology by the sector’s largest organisations, presents unprecedented challenges.

These are complex problems that require sector-wide attention. Unfortunately, at the same time, other risks are either appearing or morphing. Emerging technology is one such example, particularly the growing use and development of generative AI. This is increasing the complexity of attacks as well as advancing adversarial capabilities to do things that defenders are already combatting, like phishing.

We enter 2024 with a difficult risk outlook, which geopolitical tensions threaten to exacerbate. This is borne out in our research, which reveals that 70 per cent of cyber leaders cite geopolitical concerns as at least moderately influencing their organisation’s cybersecurity strategy. It is a year in which 45 countries are set to hold general elections – including India, the UK and the United States –

which taken together account for 50 per cent of the world’s GDP. This will heighten the risk profile, with generative AI exacerbating existing problems with disinformation, misinformation and social media platform manipulation.

But it’s not just the new that concerns cyber experts. Our research revealed the problems they face in securing older systems and legacy technology, which for 44 per cent of respondents to our survey, was the greatest obstacle to attaining cyber resilience.

A long-running problem for the sector has – and continues to be – a skills and talent shortage, and instead of the gap narrowing, our report suggests that it’s widening at an alarming rate. Almost 80 per cent of those surveyed revealed that their organisations lack cyber teams with sufficient skills to achieve their cybersecurity objectives.

Reflecting the sector’s interconnected nature, these challenges fundamentally undermine the entire cyber ecosystem. But there is hope. The important shift that needs to occur is an improvement in cyber resilience, and our research has shown five tangible measures businesses can take to improve this.

Resilience is developed step by step. There are a lot of composite parts and no quick fixes to ensuring a robust line of defence. A first step is to prioritise cyber risk. This may seem an obvious point to make, but given the spectrum of threats businesses face, cyber risk can slip down the agenda. It is, however, paramount that organisations regularly assess and prioritise cyber risk, and our research uncovered a positive trend in this respect – that of the increasingly common practice of incorporating cyber resilience into organisational risk management.

There are a lot of experienced cyber experts in the field, and the best advice that we discovered during our research was that even in the face of emerging technological risks, there is a need to maintain focus on tried and tested cyber resilience practices. In doing so, those in the field find that threats can be detected and mitigated early.

As a companion to this is step two - develop cyber governance. Undoubtedly, wisdom is accrued, and many organisations have prudent cyber resilience practices that are reaping dividends. Best practices need to be shared and institutional knowledge developed. In this respect, cyber resilience and CEO trust are symbiotic. A total of 93 per cent of respondents in our survey who consider their organisations to be leaders in the field trust their CEO to speak externally about their cyber risk. This underscores the importance of support for cyber strategy and plans at the C-suite level.

The third step is the need to cultivate a culture of resilience. Regular training and awareness raising are paramount to improving organisational culture, as is a fundamental buy-in. Everyone in an organisation needs to understand the risks stemming from our interconnected digital economy. In-house, companies should seek equitable access to the right priorities, talent, technology, security tools and organisational culture. Externally, businesses need to work with partners to robustly assess and address supply chain risk.

This brings us to our fourth element – encouraging systemic resilience and collaboration. Indicators for cyber resilience include the quality and quantity of collaborations. This not only refers to the extent to which organisations understand their supply chain cyber risk, but also the clarity and effectiveness of regulations, and the accessibility and maturity of levers, such as cyber ratings or cyber insurance. Positive outcomes in all these areas create resilience, the opposite, fragility.

Finally, organisations must ensure that design supports cyber resilience. Typically, a mix of convenience, the opportunity to use new technology to accelerate a business’s prospects and the very human trait of fearing being left behind tempts organisations to introduce new technology faster and with less security than is prudent. One way to tackle this is to shift the economic incentive structure for innovators.

Increasingly governments are calling on technology manufacturers and service providers to create products that have security built in from the outset and can be kept secure for their lifecycle. This is feeding through into programmes and regulation like the EU’s proposed Cyber Resilience Act, with further activity expected in this area.

All signs are that 2024 will be another challenging year, but by shifting practices and pursuing cooperation and best practice sharing, progress can be made. Notably, the challenges are systemic, which points to the need to secure the commitment and engagement of every stakeholder. The upside to this is that as the momentum to collectively address the sector’s challenges and risks develops, an increasingly resilient cybersecurity ecosystem emerges, benefiting everyone.

Akshay Joshi, Head, Centre for Cybersecurity, World Economic Forum

This article was published as part of the World Economic Forum Annual Meeting 2024 discussions.