By Ewa Jaremka ,
Corporate Communications Manager Marsh Pacific
02/02/2023 · 7 minute read
As with every year, the World Economic Forum’s report on global risks makes a compelling read, and its 2023 findings on cyber risk are as considerable in scope as they are ominous.
But if you’re like most business leaders starting the year with a packed calendar, chances are you’ll be equally bowled over at the Global Risks Report’s 100+ pages, and wanting to grasp the key implications in a bite-sized form.
We’ve done the deep-dive for you in this instalment of our blog series, in which we distil the report findings on cyber threats affecting the Australian and Pacific business community.
I spoke to Gill Collins, Marsh Pacific’s Head of Cyber Incident Management and Cyber Consulting, to hear her and her team’s interpretation of the report’s key findings.
For Australia and New Zealand, the report flags a key concern in how cyber threat is morphing in form, as well as impact. It notes that one of the biggest such changes is that geopolitical instability will colour the shape of cyber risk and cyber threat vectors. Continued unrest between countries means cyber breaches will be weaponised and used as a form of warfare by nation states.
This is most likely to take the form of attacks on the interoperable and autonomous technologies that underpin our critical infrastructure – with catastrophic consequences for governments, businesses and citizens alike. For Australia, the most vulnerable sectors are energy, financial services, agriculture, water, hospitals and healthcare, and transport.
This dystopian image – of our country’s vital systems grinding to a halt – is a looming reality that leaders are predicted to face within the next two years.
“Cyber risk is moving away from being a conversation just about rogue actors,” says Gill. “It’s now about likely threat vectors and whether nations with strong geopolitical motives will be swift to exploit the vulnerabilities of new technology.”
A running theme throughout the Global Risks Report 2023 is the concept of ‘polycrisis’ – where simultaneous threats are closely woven and their cumulative impact can be worse than the sum of their parts, often due to a contagion effect.
This interconnected quality applies to cyber threats, too. For this reason, the report foreshadows systemic risk on a scale that many of us may not have previously encountered.
“Coming out of Davos, many cybersecurity experts and their business counterparts view the risk of a catastrophic cyber event involving critical systems in the next two years as a very high likelihood,” says Gill. “This would include, for example, an attack on digital infrastructure and services leading to a systemic loss of communication, internet capabilities and cellular device failure. The consequences could be mind-blowing.”
Police and private CCTV footage, DNA databases, keystroke monitoring of employees working from home, biometrics data, remote tracking, GPS surveillance, biometric tech: while these technologies have brought us innumerable efficiencies and safeguards, the price is a loss of anonymity. And it’s about to get worse, the report warns.
Although the standalone data collection points for such technologies are anonymised, there’s the risk of more than one being infiltrated and the information integrated by cybercriminals. Combining such data would have the effect of a mosaic or jigsaw puzzle, where the anonymity that initially existed within the separate parts is lost, and individuals can be identified at even a biometric level.
Erosion of privacy, driven by activities within both the public and private sectors is a growing risk of our digitally-connected world. And although it is more a privacy and human rights issue than one of cybersecurity, businesses must take heed if handling such data about customers or employees. The loss of public trust and reputational damage to a brand following a breach of such systems can often be irreparable.
In the wake of Australia’s recent high-profile cyber breaches, companies have undergone a meeting of minds in establishing cyber resilience protocols. Boards and executives are more hands-on in discussions of their organisations’ approach to cyber risk, cyber resilience and cyber posture. But while information-sharing has improved, challenges remain.
“These interactions between cyber professionals, boards of directors and executives need to be delivered in a language that enables organisations to take action,” says Gill. “I'm a big believer in cyber professionals and CISOs [Chief Information Security Officers] using empirical data to support their recommendations in a language that a board is able to understand. It embeds the cyber risk discussion into everyday language.
“This can mean talking about dollar investment in cybersecurity and cyber resilience, or transfer of risk, or a maximum probable loss in the event of an attack. These kinds of terms enable effective communication as boards take accountability.”
Central to such interactions is the quantification of cyber risk, which identifies cyber loss scenarios specific to an individual business.
“Quantification gives us the ability to understand the type, severity and likelihood of cyber threats and calculate potential financial impact. This then changes technical security terms into business-friendly language,” says Gill.
“Due to our ability to reference a deep archive of cyber claims data and other historic cyber risk information, we are uniquely placed to determine what a probable loss or maximum potential loss could look like. We can then translate that information into a conversation about how best to manage that risk.”
Over the coming year, Australia and New Zealand businesses will remain affected by continued recruitment challenges within the cyber risk profession. For Australia, the shortfall is estimated to be around 30,000 positions within the next two years. The country’s current cyber workforce is just over 68,000.
A complicating factor is the specialised mix of skills required for these roles. Until relatively recently, they’ve been misunderstood as IT roles, when in fact technical knowledge is only one core aspect.
Gill says: “Businesses can find it a real challenge to source the right people who can identify, quantify and manage cyber risk. On top of that, you also need people who have the technical knowledge deal with the cyber threat when it occurs.”
In the Global Risks Report 2023 outlook survey, the issue of cyber talent recruitment was flagged by 64% of cyber professionals, and 59% of their business counterparts.
“You need people in these roles with range of skill sets,” says Gill.
“It’s imperative for the cyber professional to be able to communicate effectively with stakeholders, such as simplifying the language – explaining the implications of technical risk rather than detailing it.”
Education has a role to play in addressing the qualifications gap. But because cyber and information technology risk is a relatively new form of risk, it takes time for higher education, TAFE and other institutions to catch up.
“There's always a lag to be expected – this is true for all forms of modern shifts within professions, not just technology,” says Gill. “But I’m optimistic that we're now in the middle of that correction process – we haven't necessarily reached the point where there's been a massive uplift in candidates, but we expect it in the near future.”
As the Global Risks Report 2023 argues, cyber risk in the near and medium term is shifting beyond hacker groups and lone wolf actors, to more sinister and systemic risk. The report calls for companies to take an enterprise-wide, holistic approach to resilience. But perhaps just as important is flexibility to adapt or rewrite your approach, because it is inevitable that technologies – and the opportunities to infiltrate them – change at pace.
Businesses frequently tell us that the process of preparing for cyber insurance or engaging a cyber risk adviser is one of the most illuminating and unifying for their organisation. Are you ready to start your company’s cyber resilience conversation? Contact our cyber team today.