A myriad of geopolitical events occurred at the end of 2022 and beginning of 2023 that reshaped how business and tech leaders are approaching data, consent, and cybersecurity itself. Consequently, CEOs are feeling pressure to stay ahead of cyber challenges and the threats that evolve from this global landscape, according to a recent PwC survey.
And while these concerns are preoccupying most C-Suite executives, the question remains: how and when did these occurrences of global tension creep into the nation’s digital security?
More so, what effect do they have on data privacy and consumer awareness? How will business leaders not only prepare for external threats, but how can consumers prevent unwelcomed data mining?
From the Russia-Ukraine war and the China-Taiwan standoff to growing consumer awareness and escalating data breaches, the cybersecurity industry has undergone a lot of turbulence recently. Below, we dive into how these events are shaping the industry today, as well as what to expect for the future.
Emerging Geopolitical Concerns
Geopolitical fragmentation is increasingly affecting data protection and cybersecurity, especially when it comes to how businesses operate, as well as the countries they invest in.
According to a World Economic Forum (WEF) study, 93% of cyber leaders and 86% of business leaders think it is “moderately likely” or “very likely” that global geopolitical instability will lead to a far-reaching, catastrophic cyber event in the next two years.
The Russia-Ukraine war gives context to that ominous claim. In the first year of the invasion, Ukraine was able to fight off the barrage of Russian cyberattacks that targeted government agencies, energy substations, and even television networks. However, those tracking cyber threats say Russian hackers will ramp up their efforts, and Ukraine may find it tougher to fend off the attacks in 2023 and beyond.
But while the world’s concern around cybersecurity seems to be centered on fending off Russian hacks against Ukraine, American officials have prioritized another growing threat: attacks by China on U.S. soil.
According to Politico, if China invades Taiwan, “[China] is likely to unleash a volley of digital strikes against the United States at the same time.” Top lawmakers, the U.S. intelligence community, and cybersecurity officials have said in recent weeks that if this threat manifests, China would likely try to “hobble critical U.S. systems with cyberattacks on military transport systems like ports and railroads, or against key civilian services like water and electricity.”
How do these international cyber threats translate for U.S. enterprises? WEF reports that 43% of organizational leaders believe a cyberattack will materially affect their own organization by 2025. Most leadership sees an organization’s cybersecurity risk as being influenced by the quality of security across its supply chain of commercial partners and clients. Consequently, enterprises are devoting more resources to day-to-day defenses that are strategic investments.
“In cybersecurity, there’s a correlation between geopolitical tensions and an increase in cyber attacks. Mobile networks are strategic in all countries of the world, not the least in the region we’re sitting in, and therefore, [we’re] potential targets…This does affect the market. It does affect our customers and it has impacted decision-making, as well as deferring investments.”
– Enea AB | Earnings Call 2023
According to WEF, “business continuity (67%) and reputational damage (65%) concern organization leaders more than any other cyber risk.” To fortify against advances, leaders intend to strengthen controls for “third parties with access to their environments and/or data (73% and 66% respectively)” and “[re-evaluate] the countries with which they do business (50%).”
Consumer Consent in the Digital Age
A stark reality is fast approaching for online enterprises: a long list of disclosures for consumers is quickly fading. What’s replacing them? European-style requirements for clear, unambiguous, affirmative consent has proven the best way to reduce regulatory and class action risk.
This consent tactic has taken shape in the form of a “cookie door”—online visitors must opt-into cookie-mining consent (a.k.a. managers collect all but essential cookies) before entering a site so as to reduce the risk of “selling” or “sharing” cookie data under state privacy laws. Further, it will mitigate the need to honor a global privacy control (GPC) or Do Not Track signal, further avoiding class action litigation.
In Q3 of 2022, US companies began facing an influx of consumer class action lawsuits that claimed businesses and their software providers were violating state anti-wiretapping statutes and abusing consumer privacy rights based on their websites’ use of session replay technologies without consent.
Session replay involves “replaying” a visitor’s journey on a website or within a mobile application or web application, including what they viewed, clicked on, or hovered over.
While legal discourse about session replay is relatively new, the laws under which plaintiffs are suing are long-standing. That’s why businesses utilizing session replay technologies within their consumer-facing websites must consider proactive measures to retrieve affirmative consent in 2024.
“Consent will also be critical for those companies, particularly in the financial services sector, that employ technologies like voice authentication and fraud prevention, or in the consumer sector, who employ virtual try-in features,” Reuters states.
Data Protection
As geopolitical tensions exacerbate potentially catastrophic cybersecurity threats, new regulations to protect data and enhance reporting under increasingly tight deadlines are being introduced. Take for instance, the New York Department of Financial Services (NY DFS), which expanded the scope of events that trigger mandatory reporting within 72 hours and requires ransom payments to be reported within 24 hours.
“The ransomware crisis threatens every financial services company and their customers. And a major ransomware attack could cause the next great financial crisis. A ransomware attack that simultaneously cripples several financial services companies could lead to a loss of confidence in the financial system,” the NY DFS wrote in an open letter.
Additionally, Biden passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) This act will require companies to provide “critical infrastructure” for reporting cybersecurity incidents and ransom payments to the Department of Homeland Security (DHS) within the same time frame.
The Securities and Exchange Commission (SEC) has also proposed new regulations regarding mandatory public reporting of cybersecurity incidents within four business days.
Meanwhile, the Federal Communications Commission (FCC) has cut down the current seven-business-day mandatory waiting period prior to notifying telecom customers of a data breach. Notifiable breaches will include inadvertent but still harmful incidents.
However, encrypted data still poses a threat, especially with the emergence of quantum computing, which intends to render traditional cryptographic algorithms obsolete. With the reality of “harvest now, decrypt later” attacks, nations including Japan, India, and Costa Rica are mandating regulatory notification for encrypted data theft. On the other hand, the US and other nations are looking to be more proactive by adopting new cryptographic standards that may eventually become critical for private organizations via regulation or contracts.
“WISeKey has been very active through the SEALSQ team by establishing R&D partnerships with leading universities like École des Mines in France, which is one of the leading quantum universities in the world, and also with the international community to find cryptographic algorithms that will resist future quantum computer-based cyberattack.”
– WISeKey International Holding AG | Earnings Call 2023
Third-Party Risk Management
As cyber threats increasingly target third-party entities, security leaders are shifting their focus towards resilient investments rather than solely relying on initial due diligence efforts. Today, security leaders should prioritize risk management for third-party services and cultivate mutually beneficial relationships with key external partners. This approach aims to ensure the ongoing protection of critical assets against potential cyber risks.
Third-Party Risk Management (TPRM) involves evaluating and mitigating risks linked to contracting third-party vendors or service providers. Within this realm, various digital risks exist, spanning financial, environmental, reputational, and security domains. These risks arise due to vendors’ access to intellectual property, sensitive data, personally identifiable information (PII), and protected health information (PHI). Given the importance of third-party relationships to business functions, integrating third-party risk management into all cybersecurity frameworks is crucial.
Numerous organizations prioritize cybersecurity for their internal networks and IT infrastructure but often neglect to extend these efforts to external parties. Yet, third-party relationships significantly elevate cybersecurity risk, offering potential intruders a simpler entry point into systems and networks. According to Security Scorecard, “98% of organizations are connected to at least one vendor that’s had a breach in the last two years. As the global attack surface continues to expand, security and vendor risk management teams need complete visibility into their entire supply chain.”
Securing A Vision for the Future
Keeping tabs on key industry developments, new regulations, and competitor strategies requires a tool that separates the noise from the insights you need. With AlphaSense, there’s no need to meticulously search through databases or spend hours reviewing a cohort of documents to analyze what’s next for the cybersecurity sector.
Discover how the power of AlphaSense’s proprietary AI search technology can keep you informed on new market movements and help you stay ahead of the latest cybersecurity updates.
Start your free trial of AlphaSense today.