Corporate Leaders Need to Improve Their Ability to Respond to Evolving Cybersecurity Threats by Nation-States

"Cyber-security is rarely far from the headlines, but reporting tends to focus on big events rather than a general growth in attacks and the evolving domain of conflict," The Economist Intelligence Unit (The EIU) says in a report entitled Securing a shifting landscape: Corporate perceptions of nation-state cyber-threats. Furthermore, "As the world becomes more interconnected, nation-state incursions that steal, destroy or damage information, or that spy on or embarrass their targets, are a growing concern among policymakers and corporate executives alike, with more countries facing accusations of either conducting or sponsoring such attacks."

Being more engaged in the cybersecurity industry over the past few years, I concur with the report's assertion that "[t]he shifting landscape of state-sponsored threats—and how stakeholders respond to them—will have a major impact on how firms operate and what they perceive to be the best way to mitigate threats. This is crucial as cyber-attacks increasingly target new sectors and different types of data."

As Cybersecurity Tech Accord, an advocacy organization that sponsored the report, notes:

The data in this report captures how private-sector leaders and security experts across different industries from around the world are grappling with the rise of nation-state threats online, how they have seen these threats evolve and where they see the trends going. The results are sobering. Not only do private-sector leaders increasingly recognize nation-state threats as posing significant risk to their organizations, but the problem is only expected to get worse in the years ahead. This marks a fundamental shift in security planning. While every organization historically has had to give at least some consideration to its security practices—both physical and digital—it is unprecedented that private organizations on this scale should have to steel themselves against attacks from the most sophisticated actors: governments.

The report is a result of 524 executives surveyed "in November and December 2020 and input from leading security experts. All survey respondents are in senior roles and familiar with their organization's cyber-security strategy."

What is more, survey respondents come from Asia-Pacific (Australia, China, India, and Japan), Europe (France, Germany, and the United Kingdom) and the Americas (Canada and the United States), with a minimum of 150 respondents in each region. They all sit at director-level or above and come from companies with more than US$500m in global annual revenue. A wide range of industries are represented in the survey, led by IT and technology, retail and consumer goods. Half of respondents are from IT/tech or cyber-security functions.

The EIU "assesses corporate perceptions of nation-state cyber-threats. It finds that companies have become aware of the challenges posed by such threats and are concerned about them; however, their ability to respond to evolving risks may be lacking." Below are the report's key findings:

• "Firms' confidence in their ability to handle nation-state threats may be overstated. Companies recognize the threat posed by nation-state attacks and demonstrate a high degree of confidence in their ability to face them. This confidence may be inflated, however, according to experts interviewed for this report."
• Interestingly, "Executives in Asia show a subtle but noticeable trend of both greater concern and greater readiness than their European and North American counterparts."
• "Concerns over nation-state threats have evolved to encompass more factors. Cyber-attacks were once primarily viewed as a financial risk. Now, however, nation-state attacks also often target confidential materials and other important information (such as medical data), as highlighted by recent sophisticated breaches. Our survey respondents recognize this shift and view nation-state actors as a rising future threat.
• "Greater political will, at home and abroad, is crucial to combating the issue. Executives and experts view stronger cyber-security legislation and regulation as key ways to cultivate a safer cyber-environment, followed closely by stronger international agreements, which have been elusive to date.
• "The covid-19 pandemic has led to growing opportunities for cyber-incursions, especially to gain a foothold in the vaccine race. Experts interviewed for this report all note an increase in foreign actors trying to exploit weaknesses to gain access to sensitive pandemic-related data, particularly in sectors such as healthcare."

"It has become clear that nation-state cyber-threats and their attendant breaches are unavoidable," the report explains. "Instead of trying to protect everything, many organizations have in recent years defaulted to a risk-management mindset of trying to protect the most important data and information in the company rather than trying in vain to protect everything. Moreover, an ad-hoc, company-by-company approach leaves many gaps."

In addition, "There is a need for actions that can both strengthen defenses and reduce the incentives for nation-state attacks, starting with greater political will and partnerships between both the private sector and governments and between countries. Many countries have tried public-private partnership (PPP) models to resolve the challenge, but to little avail."

The EIU presents the following five key steps as a call to action in a new cyber-landscape:

1. "Realize the extent of the problem. Even when alert levels appear high, prominent examples of purported nation-state attacks show that many organizations need to realize that the threat may be larger than their current ability to defend themselves.
2. "Recognize the evolving nature of the threats. Given that recent nation-state cyber-attacks increasingly target confidential materials and crucial information across a wider range of sectors, organizations across industries must prepare for potential attacks on types of data they would not have previously expected.
3. "Identify potential pain points within the organization. The covid-19 pandemic illustrates the ability of malign, sophisticated and foreign actors to exploit gaps. These weaknesses should be clearly identified and addressed, even though the most sophisticated attackers will find a way in if they work hard enough.
4. "Create partnerships for the future. Political and business leaders need to co-operate more proactively to craft both domestic and international agreements on cyberspace norms.
5. "Encourage governments to do more. Companies can work with governments to increase transparency around nation-state threats, raise awareness of the issue and build capacity to deal with it."

Among the 25 questions respondents responded to, 47.1% said they were very concerned about their organization falling victim to a nation-state cyber-attack (33.4% said they were somewhat concerned). 39.9% percent of respondents said they were much more concerned about their organization falling victim to a nation-state cyber-attack today compared with five years ago (39.5% responded that were somewhat more concerned).

With respect to "Through which of the following types of infrastructure do you think a nation-state cyber-attack would most likely enter your corporate network over the next five years?" 60.7 percent said the cloud environment followed by employee computers/laptops (47.3%), hardware infrastructure (e.g., servers) (46.6%), and mobile phones (27.1%). (Figures may not add up to 100% in some cases due to rounding or because more than one option could be selected.)

On the topic of risk mitigation, I appreciate the following responses to: "What steps has your organization taken to prepare for a potential nation-state cyber-attack?"

• Increasing investment on cyber-security-related technical measures (44.1%)
• Improving training and education of employees (37.4%)
• Designating a person or team to be in charge of cyber-security across the organization (31.3%)
• Establishing or enhancing corporate policies regarding nation-state cyber-attacks (25.8%)
• Increasing investment on risk management or legal advice (25.8%)
• Establishing or enhancing corporate processes regarding compliance with national cyber-security regulations or policies (25.6%)
• Committing to a set of standards (as issued from an international organization, industry body, etc.) (23.7%)
• Designating a person or team to be in charge of addressing nation-state cyber-attacks specifically (21.0%)
• Engaging in international discussions on stability of cyberspace (19.7%)
• Regular information exchange with the government (19.5%)
• Other (0.2%)
• None of the above (0.2%)

Another key question is "What are the most concerning potential consequences of a nation-state cyber-attack on your organization?"

• Leak of confidential material(s) (44.3%)
• Loss of crucial information (37.2%)
• Financial loss (31.1%)
• Reputational loss for the organization as a whole (24.8%)
• Loss of business continuity (20.6%)
• Personal liability for my organization's senior leadership (15.5%)
• Loss of competitive advantage (15.5%)
• Other (0.2%)
• Not sure (0.2%)

Disappointingly, only 21.4% of respondents said the board of directors is primarily responsible for setting their organization's overall cyber-security strategy. This was followed by CEO at 24.4%, CIO/CTO or equivalent (24.2%), and CISO or equivalent (9.0%). One of the board's key responsibilities is to identify and mitigate risks that may negatively impact the company's operations or revenues. In an article about organizational resilience, Linton Wells II, Ph.D., an Executive Advisor at George Mason University's Center for Resilient and Sustainable Communities (C-RASC), wrote: "Successful corporate directors are keen to build resilience. Only senior leadership, supported by the board, has the breadth of vision and the experience to address these issues comprehensively." Preparing a company to deal with a nation-state cyber-attack should be a board's priority for building resilience.

Lastly, the report includes the following quote by Charles Carmakal of Mandiant, a division of FireEye, a Milpitas, Calif.-based cyber-security company: "The SolarWinds supply-chain attack caused the industry to rethink how they manage third-party risk. What's different from previous nation-state attacks was the level of sophistication and scale of this operation." As I learned from my colleague, Emmanuel Lehmann, a cybersecurity expert, during times of disruption and in the wake of significant incidents, corporate leaders need to understand the challenges of nation-state cyber-threats.

What steps has your organization taken to prepare for a potential nation-state cyber-attack? What are the most concerning potential consequences of a nation-state cyber-attack on your organization?

Aaron Rose is a board member, corporate advisor, and co-founder of great companies. He also serves as the editor of GT Perspectives, an online forum focused on turning perspective into opportunity.