A context of growing concern about cybersecurity and resilience
Accelerated digitalisation, combined with rising geopolitical tensions, has been accompanied by increased polarisation, erosion of trust and cyber insecurity. Against this backdrop, cybersecurity is critical. The World Economic Forum (WEF) identifies cyber insecurity as one of the top 10 global risks, and cyber attacks are among the top three concerns of the public and private sectors worldwide.
Since the pandemic, the number of cyberattacks has doubled. 29% of organisations have experienced one cyberattack in the last year, and 91% of executives believe a high-impact cyber incident could occur in the next two years. The supply chain and organisational ecosystem are particularly relevant, with 41% of cyber incidents originating from third parties.
More worryingly, there is a widening gap between organisations that are cyber resilient and those that are not. According to Cisco, only 3% of organisations worldwide are sufficiently prepared to withstand cyber security threats. On the other hand less than a quarter of SMEs have cyber insurance in place, compared to 75% of larger organisations, and more than twice as many SMEs as large organisations report that they lack the cyber resilience needed to meet their critical operational requirements, which may delay their evolution in the digital world.
The high cost of cyber insecurity
The cost of cyberattacks or data breaches is increasingly high: the average total cost per incident for large organisations is estimated at USD 4 million. The global cost of cyber-incidents is very high, at around $9.5 trillionby 2024, equivalent to the world’s third largest economy after the United States and China.
Cyber insecurity imposes direct and indirect costs on society and businesses: risks to people’s safety and privacy; costs of disruption to services, including those critical to society; ransom payments; loss of data and relevant information; legal liability to third parties; sanctions; or loss of reputation, which can all affect business valuation or even viability.
And what are the challenges?
Progress in digitalisation can only go hand in hand with adequate cyber resilience, fostering trust and the inclusion of the entire productive fabric. According to the International Monetary Fund’s Cyber Risk Report, companies in more connected sectors or with more interesting assets for attackers, with less protection (such as SMEs), in countries with higher geostrategic risk or with lower levels of cyber legislation, are the most at risk.
However, the greatest success in cybersecurity is silent, making it difficult for businesses and governments to justify the return on investment in improving resilience. Indeed, actors tend to strengthen their cyber defences after an incident, suggesting that a dynamic learning process is taking place. As with other investments such as R&D, private or government incentives to address cybersecurity risks may differ from the social optimum, as noted by the International Monetary Fund. Cybersecurity has positive externalities for the economy, and at the same time there may be a market failure due to the difficulty of justifying the return on these investments.
A complex and fragmented policy and regulatory framework
Cybersecurity policy and regulation to increase cyber resilience is currently fragmented, complex, transversal and evolving framework that seeks to address risks in a global digital world, not free of geopolitical tensions, where new technologies are emerging.
The motives for attacks vary, although attackers are often driven by money (organised gangs), but also by recognition and political or social causes. It is not enough to increase cyber resilience (improving the shield), but it is imperative to make effective progress in the fight against cybercrime that transcends national borders.
In this new world, cyber insurance plays a key role in protecting against risk. Cyber insurance, also known as cyber risk insurance, is a contract that companies can take out to protect themselves against financial or liability losses associated with cyber incidents. Coverage can vary. The cost of cyber insurance is rising and cybersecurity rating agencies are gaining prominence and, unlike credit rating agencies, lack of transparency and regulation.
Lack of specialised professionals or cybersecurity culture
The human and cultural factor is fundamental. And the shortage of professionals is very high: improving cyber resilience requires almost twice as many professionals as currently exist. There are 5.5 million cybersecurity professionals worldwide. Despite its growth, the gap continues to widen, and by 2023 around 4 million additional professionals were still needed worldwide.
In Europe, the Eurobarometer survey published in May 2024 shows that the cyber skills shortage is growing, with a need for more cybersecurity specialists and highly cybersecurity-aware employees in every company. While there is a general consensus that cybersecurity is a high priority for companies (71%), taking action remains the main challenge, particularly in terms of culture or training.
Recommendations to improve cyber-resilience
Following an analysis of the European situation, the Council of the European Union has adopted conclusions in May 2024 proposing a series of measures, including the presentation of a revised cybersecurity strategy, updating the existing 2020 strategy.
In an increasingly connected world, building cyber resilience and increasing digital trust for inclusive digitalisation, requires better cooperation, appropriate frameworks, capacity building and incentives. Here are some broad recommendations at the global level to achieve these goals:
- Strengthen multilateral cooperation against cybercrime, from prevention, identification, and containment of incidents to investigation and prosecution, by providing the necessary resources and capabilities.
- Promote cybersecurity best practices and minimum standards, including the development of independent cybersecurity agencies with resources, policies and cybersecurity plans, and encourage the use of international security frameworks (e.g. ISO) and recognised certificates, promoting transparency and harmonisation.
- Improve harmonisation, coherence, regulatory simplification, and multi-stakeholder cooperation, avoiding overlapping or inconsistent regulation and implementation, addressing coordination between competent authorities and with companies, and coherence in incident reporting systems, as well as cyber intelligence sharing.
- Explore new financing mechanisms and fiscal incentives to improve cyber resilience, capacity building, and cyber security culture to address the necessary investments and the shortage of cyber professionals.
- Define and monitor new key indicators of investment and expertise at the international level, in the absence of indicators and to support investment.
- Establish minimum requirements (transparency, information, sound methodology) to strengthen the quality of cyber rating agencies with regulation similar to that of credit rating agencies. In addition, an official register of authorised cyber rating agencies should be established to increase confidence in the entire ecosystem.
Resilience is the ability to cope with adversity and maintain business continuity. Improving cybersecurity is a necessary first step.
