Business versus a world of unchecked cyber threats | RiskMap 2022

TOP RISKS: CYBER

Business versus a world of unchecked cyber threats

Stina Connor | Analyst & Joseph Buckley | Associate Director

In 2022, escalating cyber threats globally are set to become a matter of survival for organisations. States are failing to deter aggressive behaviour, as offensive cyber capabilities proliferate among rising numbers of state and non-state actors. Insurers are questioning the viability of offering coverage for disruptive cyber events. Where does this all end? Almost inevitably with the private sector defending itself – alone – against cyber threats that are spinning out of control.  

Most of our clients (81%) who participated in the Global Risk survey expect the cyber threat landscape to deteriorate significantly in 2022. It is paramount that organisations focus on the future with an agile security stance. Failure to prepare your organisation to detect, prevent and respond to cyber attacks will have existential consequences in 2022. 

 

Spiral of escalation continues as cyber diplomacy fails

In 2022, efforts to curb aggressive behaviour will continue to fall short, as the geopolitical, military, economic and financial opportunities of such attacks far outweigh the costs. As deterrence proves ineffective, the spiral of escalating cyber threats will rival the impact of COVID-19 for business leaders and security teams in 2022. These two phenomena feed on each other, as the lack of enforcement provides space for high-impact attacks.

The frequency and severity of attacks, particularly on critical national infrastructure and global IT supply chains, have moved prevention and enforcement to the top of the national security and business security agendas. When the US national security community puts ransomware attacks on an equal footing with post-9/11 global terrorism, it’s clear how significant the threat has become.  

And it’s not just in the US – a growing number of countries have placed cyber security high in their national security priorities and strategies. The pace is relentless, and countries, sectors and organisations that had never before been victims are now suffering multiple attacks.  

Cyber hotspots in 2022

With each of those attacks comes increased pressure on the private sector to defend critical assets, services and operations. Based on our Global Risk survey, over 80% of our clients agree that ownership of cyber risks is unclear, which is unlikely to change in 2022. For businesses, state support in identifying perpetrators and responding to attacks will likely remain inconsistent and limited to the most egregious cases, leaving most companies to fend for themselves. 

In one of the clearest attempts to lay down cyber “red lines”, US President Joe Biden in July gave his Russian counterpart Vladimir Putin a list of critical infrastructure sectors – among them energy, IT and telecoms, and food production – that should be off limits. The effort failed. Activity since then shows the inability of diplomacy to curb disruptive operations against privately owned or managed infrastructure and to hold the actors responsible to account.  

Cyber diplomacy is not just about protection from cyber attacks today. Equally important – and contentious – is defining the rules of the game for the future. The competition to control the parameters for technology will intensify in 2022. Competing visions for technology are being used to justify restrictive regulation, online repression, surveillance, and disruption under the umbrella of digital and cyber sovereignty. This will challenge the foundations of internet governance and the way global companies do business.  

The drive from authorities globally to regulate data, content and technology competition will continue to pick up pace in 2022. Controlling the online space will become increasingly important for states seeking to repress dissenting voices – in particular during times of elections or elevated social tensions – which has already triggered longer and more disruptive internet shutdowns.1 Others have stepped up their political use of internet or service restrictions to try to compel foreign organisations to fall in line. Businesses should prepare for further restrictions that will affect their digital operations, content management and data compliance.

Confirmed internet shutdowns, January–May 2021

Source: #keepiton, Access Now


The absence of red lines means more states will look to expand their offensive capabilities in 2022, involving the private sector to leapfrog ahead where domestic capabilities are lacking. The scale of compromise by the commercial spyware Pegasus, revealed in 2021, demonstrates how far this contribution goes and the threat it poses to organisations.

Obscuring already obscured red lines

In 2022, more private sector organisations will take part in the global cyber arms race, as highly capable state actors will cascade their offensive cyber technologies to allies and proxies. The international community’s efforts to reduce non-state proliferation since 2009 have failed. Throughout 2021, we observed state actors arm their allies and proxies with fully fledged cyber weapons designed to disrupt operational technologies and steal large volumes of sensitive data, some having been designed by commercial entities. This proliferation of cyber weapons among a growing number of threat actors with diverse motivations globally is adding to the challenge of accurately attributing incidents to real-world actors.

Examples of state collaboration with non-state entities, 2017 – present

Source: Control Risks

 

Most concerning in 2022 is the rapidly advancing trend of overt collaboration between states and cybercriminals, and the growing number of ways states are leveraging their homegrown cybercriminal talent. States such as Russia, Iran and North Korea have engaged directly in criminality or have collaborated with domestic cybercriminals for several years. Their success – both politically and financially – has emboldened other states to develop these partnerships, in turn driving the aforementioned states to increase the effectiveness of their own cybercriminal activities. As with digital sovereignty, more manufactured cybercriminal havens are set to emerge next year. The benefits are clear: cybercriminal incidents have drastically reduced since 2017 in Russia and Iran. More governments are taking heed of this and will encourage domestic groups to look outwards.  

Source: Control Risks 

In the longer term, both cybercriminal and activist targeting patterns will increasingly align with the geopolitical rivalries of those actors’ host states. This will allow such criminals and activists to avoid retribution, while focusing most of their efforts on compromising their host’s adversaries.  

In 2022, the proliferation of cyber weapons will see more organisations globally facing disruptive attacks from a growing number of state and non-state actors. Disruptive tools like the Russian-built, Iranian-used Triton malware, designed to destroy operational technology systems, will spread to a broad array of state and non-state actors. As a result, there is an increased threat from both directed attacks and misuse of cyber weapons, akin to the highly disruptive WCry attack in 2017.

Companies will also face increasing financial risks as more states are encouraged to obtain funding through cybercriminal activity, enabled by their extensive espionage capabilities. At the same time, a larger number of cybercriminals will be able to operate freely within environments fostered by states happy to facilitate cybercriminal targeting of their adversaries.

The proliferation of state-level capabilities to non-state actors, a growing commercial market for sales of cyber weapons and a flourishing cybercriminal marketplace mean attribution of threat events to real-world actors will become increasingly difficult, making state-level responses and definition of red lines even more challenging. This will put the onus more squarely than ever onto individual organisations to fully appreciate their threat landscape and to proactively defend their networks against the growing number of cyber weapons being developed and used to cripple organisations globally. 

Different state operating models for collaboration with non-state actors

Source: Control Risks


Holistic, forward-looking risk management will separate the winners from the losers 

As advanced capabilities proliferate to increasingly emboldened and volatile groups, varying levels of cyber resilience will separate companies that are able to weather a cyber attack from those that will be forced to shut their doors in the wake of an attack in 2022. More than ever, business leaders, risk management and security teams need to expect the unexpected when preparing their organisations for cyber events, across strategic, tactical and operational teams.

Organisations will need to adopt – and improve – cyber security best practices to prepare themselves more effectively than the competition. Holistic cyber risk management must go beyond technical and automated capabilities and consider the full spectrum of factors affecting the external threat landscape and the organisation’s internal security posture. Those that fail to adopt an agile and holistic approach to cyber risks will become prime targets for cyber threat actors, and struggle to stay afloat when the attack hits. 

Authors

Other Top Risks

Helping organisations succeed in a volatile world

Find out how our experts can help you

Related articles

You may also be interested in

Access the virtual event platform to watch on-demand video content on the top risks, analyst picks and more.

Contact our team

Find out how our experts can help you