Cybersecurity and geopolitical conflict

What boards and CEOs should know and do

Urs Küderli
Partner and Leader Cybersecurity and Privacy, PwC Switzerland

Yan Borboën
Partner Digital Assurance & Cybersecurity and Privacy, PwC Switzerland

Johannes Dohren
Director, Cybersecurity and Privacy, PwC Switzerland

As the conflict in Ukraine continues, fears are mounting that criminals could attack Europe in cyberspace. So far, there has been relatively little visible action against European systems via cyberattacks. However, this might change or a collateral damage from this activity, similar to the 2017 NotPetya attack, is possible. The region also hosts many of the most prolific cyber criminal groups and patriotic hackers. These make up the bulk of the most significant ransomware groups operating today and could be used as proxies — or they could take advantage of the chaos to conduct operations themselves. Boards should be aware of these cyberattacks even if they’re not targeted at Swiss companies directly, as future spillovers are possible as the crisis continues to unfold. If cybersecurity has not been a priority of the C-suite and board, this is the time to review and reinforce it.

Cybersecurity and geopolitical conflicts: separately, they're among the top worries of CEOs, according to PwC’s CEO Survey. Together, the combined risks pose an even bigger challenge that demands immediate action. CEOs and boards should be asking: Are we ready to mitigate escalating cyber risks related to geopolitical tensions that might flare up in 2022?

The New Equation

Cybersecurity and Privacy

At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.

Learn more


When cyber and geopolitical conflict converge, business risk inevitably escalates

The 25th Annual Global CEO Survey was notable for the optimism among business leaders in Switzerland. However, they were also very clear about the threats to revenue growth in the year ahead.

Cyber risk was the threat that Swiss CEOs were most worried about – all of them named it – followed by health risks and geopolitical conflicts. Of course, much has changed since the survey was conducted late last year. The crisis in Ukraine has thrust geopolitical issues into the spotlight and inflation has emerged as a fundamental challenge for all businesses.

But not all risks are independent. Unfortunately, when combined, cybersecurity and geopolitical conflict can pose a significant and immediate threat.



Elevated risk environment for business when cyber risks and geopolitical conflicts combine


Cyber risks
%
Health risks
%
Macroeconomic volatility
%
Climate change
%
Geopolitical conflict
%
Social inequality
%

Question: How concerned are you about the following global threats negatively impacting your company over the next 12 months? (Showing only ‘very concerned’ and ‘extremely concerned’ responses)
Source: PwC, 25th Annual Global CEO Survey, January 2022.

Four lessons learned from previous attacks that should inform companies’ responses today

Lessons from prior geopolitical events Implications for today
Multinational and global organisations can be affected even if they’re not directly targeted.
Organisations with ties to the targeted nation or enterprise must monitor their computer network connections into and out of the country. They should review the risk of maintaining connectivity against their risk appetite. Some organisations might even consider a temporary shutdown as a pre-emptive measure, ahead of a geopolitical event.
Cybersecurity has become part of the arsenal in geopolitical conflicts, and threat actors can be sophisticated and persistent.
 
In times of crisis, organisations need to lower the thresholds for detecting intrusions. Ignoring what would be considered a false positive during a period of relaxed tensions might be particularly risky now.
Attackers often gain a foothold by stealing credentials like account names and passwords and then move unimpeded between systems (i.e. lateral access). Organisations should be on the lookout for an uptick in spear phishing and social engineering to gain credentials.
The NotPetya attack spread around the globe, shutting down systems with such speed (hours, not days) thanks to automation. Organisations should review their risks continuously, relying on near-real time network traffic analysis for swift threat identification and ramping up capabilities for quick reaction to threats.

Get to know your CISO

While prevention is preferable when it comes to cyber risk, the ability to respond and recover is equally important. We therefore recommend that boards urgently review their organisation’s cyber resilience, so that any weaknesses are identified and remedied.

A key collaborator in this process is your organisation’s Chief Information Security Officer (CISO). A simple table-top exercise with the CISO will help the board better understand the challenges, and how the organisation’s cybersecurity team is protecting against them. It will also give the board the confidence to act where weaknesses or deficiencies are identified.
 

Frame the conversation

During this table-top exercise, the leadership team and board members should explore the following:

  • How exposed are our systems, people and assets in countries that are targets of attacks? How closely are we monitoring the connections into and out of those countries in our corporate systems?
  • What’s the plan if we decide that we need to disconnect our systems? How quickly can we do so without harming our operations and our people?
  • Do we have an incident response (IR) playbook? Have we done exercises to test it? When was the last time we tested our IR plan? Have we discussed actions if hostilities begin? What are those actions?
  • How sophisticated are our threat detection capabilities? Are we able to detect intrusions in real time? How well do we monitor the cross-over from our IT systems to the tech that runs our operations?
  • Do we have strong relationships with national and/or local government agencies focused on cybersecurity? Have we contacted them regarding additional intelligence? How involved are we in industry or private-sector groups that share information with the government? How do we distinguish between accurate information and the disinformation and leaks that nation-state actors often deploy?
  • How well do our employees help protect the organisation against theft of account names and passwords via phishing and social engineering? When did we last scan our systems to detect unauthorised (even if dormant) access?
  • How good are our foundational cybersecurity capabilities? What is the state of our organisation’s cyber hygiene? 

Start the discussion today

Boards and CEOs must plan for a stepped-up response commensurate to the much riskier cyber environment associated with a geopolitical event.

The situation is much riskier because there are no norms that govern cybersecurity globally — and this new environment would challenge what few self-imposed guardrails exist because it changes incentives for defenders and attackers.

CEOs and boards will have to consider more consequential questions. Should we disconnect and isolate the systems that are in the conflict zone? Can we continue to tolerate the risks or accept a reduction in functionality or capability in certain territories? Should we accelerate key mitigating measures that will require a reprioritisation of resources?

The eight key actions businesses can take now

While an organisation’s CISO will play a critical role in mitigating cyber threats, the entire business has a role to play. To provide the best protection, PwC recommends that organisations do the following:

Understand critical business processes and information assets

Understand which processes and information assets, if impacted by a cyber attack, will have the biggest impact on your business from a customer, operational, regulatory and financial perspective.

Consider your broader ecosystem

Don’t just focus on the resilience of your organisation. Consider the network of third parties that enable you to operate effectively. How do you work together to adapt and change in line with rapidly evolving cyber risks?

Assess and mitigate cyber risks

Understand risk by creating realistic threat scenarios that leverage past events, near misses and industry views. Assess the impact of each scenario on your ecosystem and capture mitigating activities, while also defining the risk appetite of the organisation.

Factor cyber resilience into product and service designs

Protect your organisation from cyber attacks by building security into the design of technological changes. This could include using multiple layers of protection (defence in-depth), zero trust assumptions and fail-safe modes. The adoption of cloud-based solutions may also be considered to help bolster cyber resilience.

Build and maintain effective monitoring, detection and protection controls

Look for, find and address abnormal activity across your IT estate using an advanced defence and detection capability.

Design and rehearse robust frameworks, plans and playbooks to respond to and recover from a cyber attack

While organisations have tested and improved their materials to respond to and recover from a pandemic, it's very important to also revisit and rehearse these for cyber security scenarios so that an organisation can return to business as usual as quickly as possible.

Build cross-industry support

Proactively build relationships with similar organisations through government and industry bodies to build cyber resilience at a sector level, as well as within your organisation.

Build cyber security awareness and foster a security culture

Use a range of communication channels to improve cyber security awareness among employees and third-parties. This should explain their role in keeping themselves and the organisation secure.


Bottom line

For boards and CEOs, events like this geopolitical conflict can be an occasion for meaningful reflection on cyber strategy and investments. CEOs can and want to make a difference to the cybersecurity of their organisation. And boards want to exercise better governance over cybersecurity.

Speaking the language of business, CISOs can secure the cooperation and collaboration of senior executives who need to be part of any response and recovery for every aspect of their organisation, including supply chain, general counsel, business continuity, investor relations and customer relations.

#social#

Contact us

Urs Küderli

Urs Küderli

Partner and Leader Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 42 21

Yan Borboën

Yan Borboën

Partner, Leader Digital Assurance and Cybersecurity & Privacy, PwC Switzerland

Tel: +41 58 792 84 59

Johannes Dohren

Johannes Dohren

Partner, Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 22 20