Threatonomics

Top Three Trends on Cyber Resilience from The World Economic Forum

What does the Global Cybersecurity Outlook hold for 2024?

by Davis Hake , Co-Founder & VP of Communications
Published

With generative AI dominating the conversation at the World Economic Forum’s annual meeting in Davos this year – a massive 32 sessions in total – it’s easy to overlook another topic that was the focus of WEF’s 2024 Global Cybersecurity Outlook: Cyber Resilience. 

The term has taken on a new importance in 2024 as enterprise companies have come to recognize the significant financial cost of cyber incidents and look to focus on reducing interruptions to their business. This alignment of cyber and business drove WEF’s 2024 report as they surveyed over 200 cyber risk leaders to understand where security trends are shifting in the year ahead. These are the top three trends that stand out.

1. Cyber Resilience is Critical to Executive Buy-in 

As we’ve written about previously, there is a clear link between an organization’s level of Cyber Resilience and engagement from executive leadership. Of the cyber risk experts surveyed, “93% of respondents that consider their organizations to be leaders and innovators in Cyber Resilience trust their CEO to speak externally about their cyber risk.” This seems rather strange when you consider the technical nature of cybersecurity and the more traditional view from executives that this issue is not a significant focus to them. In fact, a 2023 Accenture report found that “60% of CEOs said their organizations don’t incorporate cybersecurity into business strategies, services or products from the outset, and more than four in 10 (44%) of the CEOs believe that cybersecurity requires episodic intervention rather than ongoing attention.” 

The difference in a CEO’s focus lies in the difference between cybersecurity and Cyber Resilience. Where cybersecurity is a tactical focus on controls and technologies, Cyber Resilience takes a business-focused approach by working to understand what risks are critical to invest against and what risks must be accepted or transferred through insurance. This framing of the cyber risk discussion on business terms provides an opening for non-technical executives to not only discuss the topic but also weigh in with strategic guidance and ownership. It is also telling that WEF’s report notes “of organizations that are not cyber resilient, only 23% trust their CEO’s ability to speak about their cyber risk.” This marks the difference in executive focus between an organization solely focused on technical security, rather than how to build a more resilient business.

2. Third-Party Risk Must Become a Primary Focus of Resilient Organizations

Our supply chain ecosystem is becoming more and more of a systemic threat to Cyber Resilience. Last year, Resilience reported on the massive impact the MOVEit breaches had on its 1H’23 claims figures. The series of vendor-driven breaches accounted for the significant majority of incidents and overtook issues such as phishing, account takeover, and software vulnerabilities as the leading cause of losses for clients. 

A main driver for the cause of vendor breaches is visibility into the cyber risk that is being accepted by working with a specific vendor. In the case of the MOVEit breaches, Resilience’s security team was actually the first to notify some of the impacted clients that their data had been compromised by the threat actor group CL0P. This was done by monitoring the criminal group’s public leak and data extortion sites and cross-referencing known client infrastructure. 

WEF’s 2024 report also focused on the increasing challenge of reducing risk from third-party vendors, noting that “41% of the organizations that suffered a material incident in the past 12 months say it was caused by a third party.” Their findings mirror the concern of a lack of vendor visibility, stating, “54% of organizations [surveyed] have an insufficient understanding of cyber vulnerabilities in their supply chain,” and “even 64% of executives who believe that their organization’s Cyber Resilience meets its minimum requirements to operate say they still have an inadequate understanding of their supply-chain cyber vulnerabilities.” This lack of visibility into a supplier’s risk must become a primary area of focus for companies working to better assess, measure, and manage their cyber risk.

3. The Much-Anticipated Role of AI in Cyber Risk Management

Finally, no survey on technology these days can get away without mentioning generative AI, and WEF’s report makes a strong case that “emerging technologies [such as generative AI] will exacerbate long-standing challenges related to Cyber Resilience.” Resilience’s CISO, Justin Shattuck, has written about the potential for tools like ChatGPT to serve as a new “interface” for security leaders. In February of last year, he told Axios, “A lot of what we’re constantly doing is sifting through noise. And I think using machine learning allows us to get through that noise quicker. And then also notice patterns that we humans aren’t typically going to notice.”

However, respondents to WEF’s 2024 survey were less optimistic, were less optimistic, with 55.9% of respondents saying they believe generative AI would benefit attackers and only 8.9% saying the defenders would be the primary beneficiaries. Specifically, 46% of respondents were primarily concerned with generative AI’s ability to enhance “adversarial capabilities like phishing, malware, and deepfakes.” But concern also extended to the security of generative AI itself, with 20% being concerned about inadvertent data exposure and a cumulative 16% concerned with the technical security and supply chain security of large language models. In response to the increased risks of this new technology, an increase in respondents (60% in 2024 vs 39.2% in 2022)  felt some type of cybersecurity regulation would be beneficial to reducing cybersecurity risks to businesses.

Building Global Cyber Resilience: A New Way of Thinking 

Last year, Resilience’s CEO, Vishaal “V8” Hariprasad, spoke at Davos about the business impacts of threats from cybercrime. While awareness of cyber risk is reaching executive levels, to solve these structural problems and be ready to take advantage of new trends in technology, companies need to take the next step and think about how they prioritize their cyber investments. Cyber Resilience forces organizations to consider what risks they will buy down with a strong security program, what financial risk they can transfer away through insurance, and what risks they just have to accept. Accepting risk is not a common security “best practice,” but knowing the risk you accept is significantly better than the alternative of pretending you are secure against everything.

Companies need to think about their cyber risk comprehensively with coordination across their risk management, cybersecurity, and financial silos. These teams need to have visibility into what could constitute a material risk, with coverage that helps transfer financial risk away from the company’s coffers and ongoing analysis that can help senior leaders make informed business decisions. 

While work from partners like the World Economic Forum goes a long way to bringing attention to this subject, more should be done by those in the cyber insurance industry with the data to help inform these decisions and an economic incentive to build Cyber Resilience in their clients. If cyber insurance can transform more into a risk management solution, it has the potential to act as a driver for incentivizing companies to be safer and as a critical element in building a more secure cyber ecosystem.

You might also like

Breaking Lemonade: Understanding Value at Risk

I talk a lot about value-at-risk among my colleagues, with our customers, and the broader market. Value-at-risk may be the single most important measure to grasp, without which one cannot accurately measure risk transfer, excess risk, risk acceptance, and return on controls. Yet, these are all important concepts that leadership in modern organizations need to […]

Would you fall for a live deepfake?

The Office of Senate Security revealed last week that the head of the Senate Foreign Relations Committee was targeted in a deep fake video call. An unknown person, claiming to be the former Ukrainian Minister of Foreign Affairs, Dmytro Kuleba, lured the Senator onto a Zoom call. The attack was thwarted when the Senator and […]

Artificial Intelligence for Cyber Resilience

AI tools are shifting the calculus for cyber defense by enhancing key areas such as vulnerability mapping, breach detection, incident response, and penetration testing. This integration could help an organization bolster its cyber resilience against an ever-evolving threat landscape. AI tools could automate the discovery and monitoring of vulnerabilities, providing real-time updates of an organization’s […]

cyber resilience framework

AI and Misuse

Welcome to part two in our series on AI and cyber risk. Be sure to read the first installment “What you need to know: Artificial Intelligence at the Heart of Cyber,” here. Key takeaways Background In February 2024, OpenAI – in collaboration with Microsoft— tracked adversaries from Russia, North Korea, Iran, and China, leveraging their […]

cyber resilience framework

Cybersecurity Incidents & Trends in Canada

Executive Summary Emerging cyber threats increasingly target Canadian organizations, government agencies, and individuals, with recent attacks revealing sophisticated tactics by threat actors. Threat actors delivered the Formbook infostealer to companies via emails that posed as job candidates. Meanwhile, the Chameleon Trojan attacked Canadian financial institutions and a restaurant chain by masquerading as legitimate apps. Cybercriminals […]

Digital Risk: Enterprises Need More Than Cyber Insurance

What you need to know: Artificial Intelligence at the Heart of Cyber

As AI technologies become more embedded in cyber strategies, they enhance the capabilities of threat actors while also offering innovative defenses to organizations [1]. AI tools can amplify adversaries’ traditional Techniques, Tools, and Procedures (TTPs) by automating the generation of sophisticated threats such as polymorphic malware — which can dynamically alter its code to evade […]