Miri Marciano, Walter Bohmayr and Or Klier
A Geopolitical Lens for Cyber Resilience
Boston Consulting Group, 2022
Is your organization a cyber lion, or an undersized, limping cyber gazelle?
Read or listen offlineAmazon Kindle
How do you protect a small business, a corporation, a nation? Guard secrets, stay ahead of the competition and, if you’re a nation, prepare to defend your country by land, sea and air. But what about cybersecurity? In 2016, NATO identified cybersecurity as the next theater for modern warfare, urging member countries to cooperate in fighting and recovering from cyber threats. Geopolitical cyberattacks aren’t only directed at government entities, however. Private service providers are also under attack. This report from the Boston Consulting Group outlines cybersecurity measures vital to every organization.
- Geopolitically motivated cyberattacks are on the rise, making cybersecurity an increasingly vital part of any organization.
- In the new world of cyberattacks, hackers are more sophisticated, money or data theft aren’t the only goals, and everyone is vulnerable, even small enterprises.
- Cybersecurity can no longer be an afterthought for any organization.
- No matter how good your cybersecurity, your organization must also prepare for the aftermath of an attack.
Geopolitically motivated cyberattacks are on the rise, making cybersecurity an increasingly vital part of any organization.
Geopolitical cyberattacks are becoming more common, and government entities aren’t the only targets. Instead, private companies, networks and infrastructure are at risk – even water systems and hospitals. It’s difficult to determine who the culprit is, and it’s often not clear where organized crime ends and cyberattack surrogates, paid by nation-states, begin. The nature of cyberattacks has also changed – a wider variety of motivations prompt attacks, with more diverse targets and more damaging effects. Some attacks seem to be specifically targeted at undermining society.
“A single individual, operating in secret, can cripple vital national infrastructure or an unsuspecting and unprepared company.”
The more spread out a company’s workforce, the more vulnerable that company is to cyberattacks. So when the COVID-19 pandemic made remote work more common, hackers took notice.
In the new world of cyberattacks, hackers are more sophisticated, money or data theft aren’t the only goals, and everyone is vulnerable, even small enterprises.
Cyberattacks are creating a new type of arms race, except in this case the arms are hacking weapons and security tools. As hacking weapons become more advanced, so do security tools, which inspires hackers to create more advanced weapons, which generates the need for more advanced security tools. This cycle is unlikely to end anytime soon. And if your organization has neglected cybersecurity because you think you’re too small to be targeted, think again. Some geopolitical attacks are carried out simply to incite contention and frustration among ordinary citizens by disrupting services or disseminating misinformation.
“When the motives behind attacks expand into the geopolitical realm, preparation and risk management become more complex.”
Attackers can be state- or privately funded, and they’re targeting small and medium-sized organizations. Consider Log4j, the open-source software commonly used by all kinds of organizations to track computer usage. A senior US cybersecurity official described a December 2021 Log4j attack as “one of the most serious vulnerabilities I have seen.”
Cybersecurity can no longer be an afterthought for any organization.
Every organization needs two capabilities: first, the ability to identify and reduce attacks and second, the ability to manage the effects when the inevitable attack occurs. Organizations require a broad range of cybersecurity capabilities, regardless of size. Preparation begins with making cybersecurity part of the business plan. It’s not an afterthought or an add-on – it’s a C-suite priority.
“Many organizations are unprepared to protect themselves in this increasingly hostile, asymmetrical and secretive world.”
Your organization’s cyber risk is unpredictable, but it’s still certain. Anticipate cyberattack costs before they happen, and apply resources accordingly. Your organization must continually assess various threat scenarios by asking, “Who might attack?” “Why would they attack?” and “How and where might the attack be carried out?” Don’t neglect your supply chain, software providers and vendors when making these assessments. Coop, a Swedish retailer, had to close 800 stores for 24 hours as the result of an attack on Kaseya, their IT management software provider.
No matter how good your cybersecurity, your organization must also prepare for the aftermath of an attack.
No cybersecurity plan can guarantee 100% successful prevention. Be prepared to respond to an attack. Start with an “incident response” that outlines the steps you’ll take to “detect, contain and recover.” This means having a plan for operating during an attack, and a blueprint for restoring your organization to its pre-attack condition. You’ll need a model of regulatory, legal, financial and decision-rights factors as well as a means to communicate with impacted parties. This also means sharing attack details with neighboring organizations to help them protect themselves. Attackers are well-organized and well-funded; a cooperative interorganizational defense is the only feasible option.
“Increasingly, the hackers behind these attacks are persistent, highly skilled actors backed either by nation-states or by large, well-financed cyber criminal groups.”
Remember the fire drills you did as a kid? Cyberattack drills can also be an effective means of preparation. Everyone from employees to executives should know their role in the event of a cyberattack. Repeated practice runs will improve your organization’s response to an actual incident.
About the Authors
Miri Marciano, Walter Bohmayr and Or Klier are professionals with the Boston Consulting Group.
This document is restricted to personal use only.
Comment on this summary