Global Cybersecurity Outlook: the risks we all face and how to fight back
World Economic Forum
Deep Dive
Shownotes Transcript
It's highly likely that if your organization hasn't experienced a cyber incident, it will at some point in the future. And you don't want to wait till that incident occurs to then put your cyber crisis communication plan in place. Welcome to Radio Davos, the podcast from the World Economic Forum that looks at the biggest challenges and how we might solve them.
This week, as the Forum publishes its Global Cybersecurity Outlook 2025, we look at the risks and what we can all do to fight back. Technology is being deployed both by the good guys as well as the bad guys. A lot of criminal outfits as well are starting to harness AI technologies very effectively.
The rapid rise in artificial intelligence is just one of several crucial issues covered in the cybersecurity outlook. How do we harness these benefits in a way that does not introduce more risks into the enterprise? The head of the Forum's Center for Cybersecurity walks us through some of the main findings in this major piece of research.
And we hear from two experts working to improve individuals and organizations' defenses against potentially devastating cybercrime. We are aiming to meet a million children across Africa to be able to deliver this cybersecurity education. The major issue for organizations is not how do we keep the bad guys out,
But how do we build resilience so that if or perhaps when the bad guys get in, we have a plan in place for responding and recovering? Follow Radio Davos wherever you get your podcasts. I'm Robin Palmer at the World Economic Forum. And with this look at the global state of cybersecurity. Cyber resilience, it's no longer a nice to have. This is Radio Davos.
This week we talk about cybersecurity and to do that I'm joined by the head of the World Economic Forum's Center for Cybersecurity, Akshay Joshi. Hi Akshay, how are you? Hi Robin, nice to see you. Nice to see you too. For anyone who doesn't know what the Center for Cybersecurity does, what does it do? So the Center for Cybersecurity was launched by the World Economic Forum in 2018 in response to the growing cyber threats.
It's an independent and impartial platform benefiting from the platform provided by the World Economic Forum, and it seeks to bridge the gap between cyber leaders and business executives. Cyber security in today's day and age can no longer be a technical problem. It needs to be dealt with as a strategic priority as any other within organizations.
However, leadership has often trailed behind as it pertains to understanding cybersecurity issues. And given the Forum has always been very great at attracting senior leaderships from organizations and nations, with the Center for Cybersecurity, we've managed to curate a community that comprises the senior most cybersecurity leaders across the world.
And our efforts are constantly aimed towards bridging the gap that exists between these two sets of stakeholders so we can improve the state of cybersecurity globally. And you've just published the latest edition of your
Annual Cybersecurity Outlook. What is the Cybersecurity Outlook? How do you put it together? What is it supposed to do? In 2022, for the first time, the Centre decided to launch the Global Cybersecurity Outlook. As I mentioned previously, it's really important for senior leadership to be equipped with the right knowledge so as to be able to make strategic decisions about cybersecurity risks facing their organisations.
The Cybersecurity Outlook, which comes out every year in January, offers senior executives with insights on the most salient issues in cyberspace and also points their attention towards what should be actions that they need to take to stay ahead of some of the risks that are panning out in cyberspace. So if I was an executive of a company, I could pick up this report and it would really give me a
an outlook of what's going on around the world, things that might be coming down the pipeline, cyber attacks, and also hints to how I should be preparing for those. Is that right? That's absolutely correct. That's the objective of the cybersecurity outlook.
It's produced in a way that is really easy to understand for senior leaders, and it's not produced with a technical bent of mind. It's really looking at cybersecurity from a more business or overall security perspective and is really looking to arm senior leaders with the insights that they need to inform decision making on cybersecurity issues. So could you give us a few headlines of
the main findings that are in this year's report? So one of the biggest things that we've discovered in this version of the report is there is an increasing complexity in cyberspace. This increasing complexity stems from a multitude of factors. First of all, there is prevailing geopolitical uncertainty. 60% of
executives have in some way, shape or form changed their cybersecurity strategy or it's impacted their cybersecurity strategy overall. So the uncertainty that we're seeing in different parts of the world is having an impact on the cyber realm. Why is that? Can you explain or give us some kind of example of how that would be? So for example, when you see
Wars today are not just about physical warfare. You also see the fallout in the cyber realm.
So, for example, if you see increasing targeting of critical infrastructure or otherwise, it just impacts business decisions in terms of where they would like to operate or what are the vendors that they're working with. For example, if they're working with a vendor that is based in a region that has an increased level of risk, it invariably impacts
impacts your overall risk profile as well. So it's just to give you a sense that while we're not talking about absolute decisions, but when you look at the sum total of risks facing your organization, the geopolitics and the impact it has, even on cyberspace, plays a key role in terms of how people make decisions as to how they remain cyber secure.
You highlight this word complexity. I think you're going to say there are other types of complexity or other things adding to this complex picture. Certainly, there are various elements. So I spoke about geopolitical uncertainty. The second aspect is supply chains. Supply chains are becoming increasingly complex. As a matter of fact, you know, the
impact on one particular player within the broader supply chain can have cascading effects across the entire supply chain. In 2024, for example, we experienced one of the biggest IT outages, which was due to a faulty update to a particular software that had impacts across different sectors of the economy.
So it just gives you a sense of how these risks are more and more pervasive. As a matter of fact, 54% of large organizations believe that supply chain related risks pose the greatest impact to cyber resilience of their organization. So what's driving all this complexity? Is it that the world's getting a more complex place or is it the cybersecurity itself, the technologies that are available?
What are those big drivers that are changing this and making this all ever more complex? You know, you raise a really good point. Cyberspace is essentially a reflection of how our society is evolving as well. Now, if we look at emerging technologies, of course, over the past couple of years, we've seen tremendous advances in AI.
So as we see advances in AI, of course, organizations are rushing towards adopting these technologies within their environment. In our Global Cybersecurity Outlook report, for example, 66% of executives believe that AI technologies can have the most significant impact on cybersecurity.
But at the same time, 37% of organizations lack adequate processes to safeguard against the risks from AI technologies being adopted. So they're confident or there's a lot of confidence that AI can help them make themselves more cyber secure, but also a lot of them are not ready for the risks that are coming from AI. Absolutely. So I think it's a bit of a paradox if we think about it.
Now, if we look at the adversarial element of it, of course, organizations are rushing to bring in AI technologies. But equally, we are starting to see that a lot of criminal outfits as well are starting to harness AI technologies very effectively. As a matter of fact,
47% of organizations, of respondents, believe that adversarial advancements because of Gen AI are a big concern. So this just gives you a sense of, you know, I think the technology is being deployed both by the good guys as well as the bad guys. And we really need to make sure that we are adopting these technologies in a secure manner so as to
provide better cybersecurity for our organizations and also other applications. I mean, AI obviously offers tremendous applications beyond cybersecurity as well, but at the same time, how do we harness these benefits in a way that does not introduce more risks into the enterprise?
Well, actually, we're going to hear a couple of interviews in this episode of cybersecurity experts that we were able to speak to during the recent event that you organized here at the World Economic Forum in Geneva, the Cybersecurity Summit. Yes, exactly. It's the annual meeting on cybersecurity that we host every year here in Geneva that brings together roughly around 170 of the world's foremost cybersecurity leaders to explore ways to make cyberspace more resilient.
Now we did several really good interviews. We're going to hit just two on this episode. Hopefully there'll be more in episodes to come. So the first one, they're both these two interviews, they're both people working to raise awareness of the problem and help companies and individuals find solutions. The first of these two interviews is Confidence Stavely, who's the CEO of CyberSafe. Tell me something about Confidence.
So Confidence is doing some really, really great work in terms of the skills domain in general in Africa. And with us, you know, she's been an extremely engaged contributor to the forum's work on the Strategic Cybersecurity Talent Framework. Now, cybersecurity skills is a huge problem across the board, but it's even more grave when you look at developing markets.
And Confidence's work is really incredible in that regard. Let's hear Confidence Stavely. She was interviewed by my colleague, Katarina Gordychuk. Why do you think it's not easy for a lot of people to understand cybersecurity best practices or just generally the trends that are happening today? And how in your work are you trying to change that?
I think first and foremost, people don't necessarily see themselves as, you know, people that could be attacked by cyber criminals. And when I mean people, I mean as individuals or as businesses of different sizes and in certain sectors, for example. You know, so that...
detachments from what could be possible and not seeing the reality of them being moving attacks surfaces is also an issue that we see. There's also the problem of being too complicated for the average person, both in the communication and in the actions to be taken. So
I typically would want to simplify things, not just by dumping them down, but also applying them to the people I'm speaking to per time. And I find that that changes how people receive the message. So our major challenge in cybersecurity is also communication. And aside from just making it relatable to the people I'm speaking to, I've also contributed to changing it by mode of delivery.
So a lot of times we think that cybersecurity education must be done in very formal settings. You're sitting in a conference and learning about cybersecurity or you're demanding for that information by going for courses or something along those lines that you're consuming maybe online. But I find that we need to more importantly mainstream cybersecurity awareness. Where are people getting entertainment?
people are spending hours scrolling through their phones and social media why aren't we making cyber security awareness something so enjoyable and something in little bits that's actually what people can take per day to change and improve their security posture and for me i'm just really dedicated to looking at how we can use instruments of entertainment for example pop culture is one you know afro bit culture is one if we can use this instrument of
of lifestyle that we currently even consume to then mainstream cybersecurity awareness and education, I think that would be very game changing. And that's one of the key things I'm really passionate about. How do you sort of use this in some of your campaigns of looking at cybersecurity with entertainment, with an eye for learning something curious as opposed to just very serious facts that one must know?
I think that edutainment is one key thing we need to do more of because sometimes it's necessary that education doesn't just become something you go to, but something that comes to you. And so for us, it's just really leveraging that in our campaigns. For example, we created Africa's first Afro-based cybersecurity awareness song.
And first and foremost, it first sounds like you're dancing somewhere at a party. But then you're hearing about two-factor authentication. You're hearing about password length and safety. We need to teach people cyber hygiene more often. And then using edutainment is one of the key ways that we've seen that these little actionable things can be passed on to people. We've been able to do this
through the song I spoke about, the No Go For Manga campaign song in one of our campaigns that really reached 20 million people. And we saw how that really helped in terms of supporting people during and post-COVID when there was so much increase in cyber attacks of citizenry. Also, we see how
very entertaining short videos on social media, something called skits can be used as well. We have our favorite entertainers that we consume a lot from, from the very stupid things you can think about to even very mindful, logical things that you want to consume. So why not use those comedians, for example,
why not use those actresses that people already love? And so those are some of the key things we've been able to inject in our campaigns. For children, you know, African children love folktales and it's the way we grew up. We have also been able to use those folktales and those story settings
to then be able to share cybersecurity education with children. And we've had that in all of our campaigns across CyberSea because we believe that cybersecurity education shouldn't be something that we do outside of the psychology of human interaction because those two key things need to meet. Confidence, it's very clear that you're so passionate about cybersecurity. How did your journey start and why has it been such an important subject for you?
My journey was a sheer string of happenstances. I stumbled into technology in the very first place.
I had been sold being a medical doctor for so long that I thought it was going to be my path until I took a gap year between going to college and finishing high school and took that gap year and that was when I got exposed to computers for the first time, learned how to program and I just knew this is where I had to be. So I sold it to my parents using cardboard papers as my means of doing a presentation because at the time I couldn't afford a laptop and I think this experience has also really shaped how I design programs.
And then I got exposed to computers, loved it, sold to my parents that I wanted to do technology, went on to do an advanced diploma in software engineering, got a BSc in IT and business information systems. And then it was during my master's in IT management that I took a course in cryptography that then led me down the rabbit hole of information security. But then I clearly saw that since everything around our civilization was wrapped around technology, I wanted to be one of those who protect it because protecting
the technology we're consuming is not a matter of just protecting that technology. It's now a matter of protecting our civilization. And I use this analogy quite a lot. I say, you bought a nice car, for example, and you gave it to your child. Would you give it to your child without teaching your child how to drive, for example, knowing where the brakes are, knowing how to change the oils in the car, for example,
Very basic things. But what we're doing is we have technology in our hands. Innovation is growing at a very rapid pace, but we're not showing people and organizations where the brakes are and how to apply them for their safety. So as much as we want to get the benefit of technology, we must also be very conscious of the risk. And in that way, we'll be able to have the protective mindset and the tools to then protect ourselves. And that's why I'm really passionate about this field.
I'd love to ask you a bit about your campaigns. There are so many and they're all targeting different groups of people that have their unique vulnerabilities to cybercrime, for example. Tell me a bit about Shine Your Eye. How did it start and who is it aimed at? Shine Your Eye was really targeted at older citizens. And so for us, it was really ensuring that we're able to speak to them and speak in their language and use the tools that will be helpful to them, put them in their hands and simplify how they could protect themselves.
And so that's what the Shine Your Eye campaign was really about. We got the funding to then create tools, create a campaign, and then reach over 100,000 people that are senior citizens. And we've been able to reach them across eight African countries that really typically are in the process of cyber criminals and also have a lot of money in savings to lose. I mean, just like my mother, my mother was a victim of cyber crime and she just took a phone call.
someone pretending to be from her bank. And then that was it all. And I saw secondhand, very distressing and how really bad that experience could be. And I want less and less older people to be victims of cybercrime. And that's why Shiny Eye exists.
That must have been so distressing for your family to experience. When it happened, what was going through your mind? Did you have any mechanisms to protect yourself and your mom and your family? I felt in that moment that I had failed my mom a bit. And that's the thing. As a cybersecurity professional, you're thinking about cybersecurity from the lens of protecting enterprises, the enterprises you work for, right? But cybersecurity is more than that.
We need to not put people and users of technology on the back burner. We need to ensure that we're centering them in both
preventive and responsive education. There's not enough around what you should do if something bad happens. Enterprises are not putting enough focus on that for the users of the technology or the users of the services they're delivering through technology. And for me, that's exactly how I felt. I felt I had not given enough information to my mother, for example. I had not inoculated her mind enough
And that's what happens. We forget usually who the people are at home who have this information for ourselves and for the enterprises we serve. And for me, it was that sort of moment where I felt like, oh, I had missed the mark.
There's lots of different ways of cybercrime to exist, right? It's not just about sort of you're clicking on the link and it's more about playing with people's emotions. That is that it becomes so personal. How can we protect people, young people, but also older people, everyone from that sort of risk? I think there are many ways to do it.
First and foremost is to acknowledge that we are different, we have different influences and just getting the information about how our personalities can then impact our responsiveness or our susceptibility to certain attack types and certain persuasion types.
Because we see that most of the attacks till today, majority of them start with social engineering, which is just deception in very simple terms. So really just understanding how your personality, for example, drives that and then getting the knowledge to then protect yourself. So that's something that both as individuals and as corporate organizations,
that needs to be prioritized. And it's not something that needs to be done just one-off. It needs to be reinforced. It needs to be reiterated. It needs to be refreshed. So when there are new, very widespread attack types or attack modes, that information needs to also be communicated as well. And people need to seek that information. I believe that these are some of the key ways that we can protect people and organizations.
What about Cyber Smart Child? That's another campaign that's targeting kind of the other end of the spectrum, very young kids. How is that campaign going and why is it important for you to focus on that population too? I mean, we're putting devices in children's hands these days. Sometimes children less than 10 years old to be able to do their homework and their assignments. And we find that cyber criminals are targeting them as well for grooming, for sex caution and for all sorts of attacks.
And these children typically believe what they see, except told otherwise that who you're talking to may not be who you think it is. And so even when we think we don't have them on social media, for example, because they're not old enough, children are getting on social media actively. Children are getting on dating sites, for example. Children are clicking on pop-ups, for example, that come on their computers from school.
tools that are pirated that we install on their laptops for example for them to be able to do their homework or other things learning activities on their smart devices. Children are increasingly being abused, children are increasingly being in harm's way, children are taking their lives because of you know sextortion I spoke to you about earlier on. Sometimes the pictures that are released of children aren't those children actually but they are pictures of these children you know
superimposed on AI generated images, for example. So all of those things and even the changing dynamics of how AI is coming in to really help with the cyber crimes has made it super important for us to really prioritize children's education as it has to do with cyber. But more importantly,
importantly, the key thing I want to communicate, which is it's not flat education for children. The way you would talk to a six-year-old is different from the way you would talk to a teenager, right? And many steps in between as well. So recognizing that, recognizing how to communicate those best practices and do it in a way that
catches the attention of children as fleeting as their attention span is, is very key in the way cyber education should be delivered. And we've been able to do that in a small way considering that there are limitations as to how you can do cyber education and the funding challenges as well around it. But we've started off very strong. We are aiming to reach a million children across Africa to be able to deliver this cybersecurity education.
Are there any real-life examples or stories that have stayed with you throughout the years of how people have been affected by this knowledge you've given them? Talking about stories, there's so many, one too many to share. There's one that I absolutely love and really just shows the power of giving young women opportunities. There's the story of Fela Oshideko in Nigeria who didn't have any form of digital education. She didn't know how to use computers on digital.
She came through our doors and cyber girls program. And then we taught how to use computers. She went on and she made this promise to herself that she was going to be the best graduating fellow in our program. This young woman actually became the best graduating fellow because she put in so much work. So she went from not being able to use computers to being able to
provide penetration testing services to companies. And she was quickly hired immediately after the program, even though she didn't have a degree. This was a person who had to support her family by working a job that paid her about $10 per month. And then she took
you know, the skills we were able to give her got into a job and then increased her earning. She's now able to support her family and herself, and she is exactly doing what she loves to do. She is finding vulnerabilities, for example,
that could cost companies hundreds of thousands of dollars per year in terms of losses. She's also come back to mentor the program that she benefited from. So I see how that is a full circle moment. And it makes me so proud because it also confirms that when women have access, which is the biggest barrier to them coming into cybersecurity, they'll make the best out of it and they will come out shining. And it's just for us to put our money where our mouths are and form programs like Cyber Girls Fellowship.
Confidence Stavely, CEO of CyberSafe. She actually had a lot of interesting things to say about the way cyber attacks can often depend on your personality. She's talking about cyber attacks on individuals. Young people can be targeted in a certain way, older people in a different way, and the work she's doing seems to have targeted advice and help for those people. I mean, that's a big deal, isn't it? How all of us
potential victims of a cyber attack of some kind. And it can depend on who we are, what our personality is, what our job is, what applications we're using. It's very different for all of us, isn't it? It is very different. It's vulnerable populations that I worry about the most. It's imagine if there is a pensioner who gets scammed into making investments using the proceeds from their pension
into a scam. It's what happens, you know, I think the ripple effects are pretty significant.
At one level, you experience a certain degree of shame. You don't want to talk about it because, you know, I think how are you going to be perceived by different people, which is why you often don't tend to report. Once the cyber criminals understand that you're vulnerable, you often get follow up requests. Oh, we can help you recover if you were to only do that. So it's not a one time effort for the most part whereby they scam. There can be a series of scams that follow as a consequence and you just
go with it in the hope that this is what will allow you to recover what you've lost. So I really worry about the vulnerable populations, the elderly, you know, I mean, who are obviously increasingly digital, but at the same time, you know, may not have the same awareness as it pertains to what is good hygiene in cyberspace. But equally, I'm quite concerned about
children as well who may not have the maturity in terms of how to interact with technologies. So I think these are, it's a pretty broad gamut, but in general, I think these vulnerable populations can really have very, very significant impacts if basic cyber hygiene does not exist.
Yeah, and confidence there talking about going to the places those people are and communicating with them in a language they understand. I thought it was very interesting. Now she works in Africa and I think you mentioned just before we heard that clip about cyber inequity and this was a big theme of your last year's report.
And that's inequity, the inequality between regions, between big and small companies. Can you just tell us something about cyber inequity and why that's an important thing to you? Absolutely. Cyber inequity, we tend to apply three lenses as we are looking towards cyber inequity. The first one is the classic one, the big organization versus the small organization lens, right? And here, if we are looking at...
Small organizations, this year in the global cybersecurity outlook, 35% of small organizations report as being not resilient. This is a 7x increase as compared to 2022.
So it's gone up pretty significantly. If we look at the large organizations, it's roughly halved. So most of them are investing a lot more effort into ensuring that they are more resilient and therefore, you know, the ones reporting that they are not cyber resilient has gone down significantly. So that's the big versus the small. The second lens is really the
mature markets versus the developing markets per se. And here, if we look at it, research reveals that in Europe and North America, for example, it's a mere 15% of the respondents who lack confidence in their nation's ability to respond to cyber threats.
These numbers are significantly larger as you look towards Latin America or Africa, for example. So this is the second lens to cyber inequity. The last is the sectoral inequity. So we all know that financial services tends to be really, really mature as it pertains to cybersecurity for good reason. They're managing all of the finances, have to be really, really top notch over there. But then you have a lot of other sectors that are arguably
very, very important, but at the same time, not as cyber resilient. The public sector, for example, 87% of respondents from public sector organizations report having moderate to critical skills gaps
you know, to defend against the increasing cyber risks. So these are three lenses that we tend to take towards understanding cyber inequity. And I spoke a bit about, you know, the prevailing cyber complexity. Now,
Inequity in itself viewed under these three lenses is pretty significant. If you superimpose prevailing complexity, it's a different ballgame altogether. So we believe that prevailing complexity exacerbates cyber inequity. I love the fact, by the way, that you're pulling these figures out of your brain. I hope I'm going the right way. OK, people can check. They can mark your work against the report, which is available online.
Very impressed by that. Another thing in this year's report is about skills, and this is something we talk a lot about on Radio Davos, at the World Economic Forum in general, the future of jobs, the future of skills, and there's a talent shortage in this area. Tell us something about that and what the report reveals. So the cyber talent gap is one of the most significant impediments towards achieving cyber resilience, as reported by a number of organizations globally.
Our research reveals that this gap has grown by 8% as compared to last year, with two in three organizations reporting moderate to critical gap in terms of essential cyber skills.
Now, this is pretty significant because the risks are ever increasing. We spoke previously about how new technologies are being harnessed by cyber criminals, resulting in more targeted attacks, you know, more sophisticated techniques. And at the same time, there is a growing deficit in terms of cyber capabilities that are available to the organization. So all in all, it has pretty significant impacts on cyber resilience of the organization as a whole.
The World Economic Forum Center for Cybersecurity has been actively addressing this issue over the past years. In fact, following recommendations from senior leaders, we put the first ever strategic cybersecurity talent framework that provides steps, a pretty robust approach towards talent
bridging the cyber skills gap and provides really good recommendations in terms of how individuals can enter and thrive in the cybersecurity workforce. I mean, whose responsibility is that? Is that companies, schools, universities, governments? I mean, who has to...
make changes there that means there are other people available to do these important jobs? You know, I would say that it's all of the entities you mentioned. I think there are concrete actions that each and every stakeholder needs to take. Now, let's take the example of curriculum. You know,
A lot of the regular programs don't necessarily have a cybersecurity component to that. So you can think about cybersecurity in two layers. One is cybersecurity education and awareness for the wider population. The second is targeted curriculum to train the next generation of cybersecurity professionals. So I think efforts need to be invested in both of these domains. Another key element is the industry as a whole.
So is there a positive narrative associated with a career in cybersecurity? Has industry done enough to make cybersecurity a really aspirational career option?
As far as I'm concerned, I think the mission that a cybersecurity professional serves is pretty profound. You're helping safeguards the benefits of digitalization for all, which is an extremely tall order. But at the same time, I don't believe as of today, this mission is as apparent to an aspirant in the job market.
So there's a lot that needs to be done to build this narrative. There needs to be an abundance of curriculum and pathways. Once we have people who join the cybersecurity workforce, we need to build dedicated career trajectories for them so that they can go on to take more specialized domains. And while we do all of this, we need to bear in mind that cybersecurity is an extremely stressful occupation.
For example, when most of us tend to take a little bit of downtime around the end of year period is when scamsters tend to be most active, which means that the threat profile of an organization is significantly high, which in turn further means that the cybersecurity professionals don't really get a chance to unwind as most of us do. And therefore, you know, I think the well-being aspects of cybersecurity professionals also need to be given due consideration.
confidence after the first interview we heard, she really gave that idea of this was a mission. This isn't just about ticking boxes. This is about protecting even her mother, she talked about. It's a real mission for her. And I think that could be a very attractive thing. We all like to hope our jobs make some kind of difference. And you're saying this industry does. Let's hear from a second of our two interviews then from the recent cybersecurity meeting you held here.
This is someone who's got practical tips for companies on how to improve their cyber security, but also their cyber resilience and what to do in the event of a cyber attack. Tell us about Kerry Pearlson.
So Kerry Pilsen is the executive director of cybersecurity at MIT Sloan. She's been an extremely engaged contributor in our work and has worked very actively towards the work that we do on cyber resilience. Recently, we launched a paper on unpacking cyber resilience where we
where we're trying to help leaders understand cyber resilience in business terms, as opposed to a lot of the technical definitions that are out there. We're trying to position it as the ability of an organization to minimize the impact of cyber incidents on its goals and objectives.
And that's extremely straightforward, right? So Kerry has been very active in terms of working with boards, really putting forward incredibly powerful pieces in terms of how boards should be exercising their responsibilities, et cetera. So really glad that we have our perspectives here. Let's hear from Kerry Pelson. Cyber crisis communication plan is a bit different than just a general crisis communication plan. Many organizations have...
business continuity plan or some sort of crisis plan of what they're going to do in the event of a disruption to their business.
And there are all sorts of disruptions besides cyber disruptions. But it turns out that there are some unique factors to a cybersecurity incident. In our research, we uncovered some specific things that managers can do to really be ready in the event of a cyber crisis. For example, in a cyber crisis, the event usually unfolds. You don't know everything that's going on right at the beginning of the crisis.
Unlike, say, a hurricane or a tornado or an earthquake where the damage is done and now you have to recover from that kind of damage. In a cyber incident, you may not know everything for days, weeks, months, maybe even longer. Sometimes the bad guys have been in your system for a long time and they're just deploying whatever the malware is creating some sort of cyber incident. So you have to communicate with your stakeholders with incomplete information.
Number two, often our first reaction, our first thoughts about what we want to say are wrong. In fact, in one example, a company called the situation a cyber incident. Turns out it wasn't a cyber incident. And there were consequences to the word incident. There were legal ramifications. There were responses from the other stakeholders.
to a cyber incident that ended up would have been irrelevant if they hadn't called it a cyber incident at the beginning. There's a tendency to want to share a lot of information even if you don't know that information. You want to assure your stakeholders that everything is perfect and fine and that they're going to be fine, but you don't really know that yet. So you need to be careful what you say. So in the moment there's a lot of stress, there's a lot of tension,
There's a lot of urgency. It's really important to have thought through ahead of time, what are you going to say in a cyber crisis that will help you when or if the situation actually arises? Why is it important to tailor responses based on a stakeholder that an organization wants to be in touch with?
So there are different reasons why you might want to handle different stakeholders differently in a cyber crisis. Let's just be very specific about customers, for example. You may have some customers that are very large. They may be a significant portion of your business and you want to handle them more carefully with maybe a C-level executive reaching out to them. You may want to connect with them C-level to C-level versus lower level to lower level. You may want to assure them that
The business impact for them is different than they may be thinking it is upfront. And that can only happen with a one-on-one conversation. It's about keeping the trust going that you have with your customers. There may be other segments of your customers where you're not as significant in their operations and social media posts or a letter, an email, some other kind of communication might be sufficient to let them know what's going on. So you want to have thought through that before
before the crisis occurs. You don't want to wait till there's a cyber crisis to then decide who are you going to contact, what resource do you need to contact them, how are you going to contact them. Number two, when there's a cyber crisis, first of all, normal modes of communication might not be working. If your email is corrupted, you can't send emails, and that's your plan,
then you're in trouble. So you need to have plan B and plan C in mind also, just in case. But there are also opportunities to use creative ideas in reaching out to your stakeholders. In one example, we had a hospital was impacted by a cyber incident, was unable to make appointments.
And was unable to call people because their phone list was locked up. They couldn't even call their potential patients or their current patients to tell them what was going on. They couldn't reach out to them under normal channels. So they took out an ad to let patients know that the traditional mechanisms weren't working and that their systems were down. And not to worry if you couldn't make an appointment right now, they would be back. But it wasn't that they didn't want your business.
or they didn't want you to be able to reach your medical provider, but they just had to find a different creative way to reach their constituency. So what I'm hearing is really preparation is such an important piece to this, doing practice runs, doing tests.
How should companies and organizations approach this? Yes, I think that's a really good point. So it's really important for organizations to have prepared for a cyber crisis communication. Another opportunity is to actually practice what you might be doing in a cyber crisis for communications. So one of the tools we advocate
in our findings from our research is really to do tabletop exercises or other kinds of fire drills where you think about we're in the middle of a cyber crisis, how are we going to communicate with, pick your constituency, your customers, your suppliers. And then you do the what if, well what if that mode of communication is down? How are we going to communicate with them? And using the opportunity to practice as a way to think through the different alternatives you might have if there was a cyber crisis.
When there is a crisis, there's of course a lot of shifting of resources as well, of human resources. What impact does this have or might this have on this communication strategy? How can a company make sure that they actually have people doing this job instead of, well, doing the fixing or doing the non-communication bit of the crisis? Well, balancing resources in a crisis is a big issue. And so I think cyber crisis planning is very important.
And we often talk about tabletop exercises and fire drills as a way to do your planning. You put your business continuity plan in place, you stress test it for other kinds of crisis, and then you stress test it also for a cyber crisis. In one organization we looked at, they had a crisis plan, not just a communication plan, and they had it on their computers. And their computer experienced malware, which put ransomware on their system and locked everything up and encrypted all their files. And where do you think the plan was?
Well, it was encrypted with everything else in their system. So if they had done a tabletop exercise or they had prepared ahead of time, they might have noticed, hopefully they would have noticed, that one non-digital copy could have been the savior for their crisis communications. Turns out in the case I just described, the point person was an administrative assistant who happened to have printed out the
cyber crisis plan. And so she had a copy of it on paper. Everybody had laughed at her because she printed everything out on paper. But when the crisis occurred, she was ground zero, not the person you would have expected to be in the role of the owner, if you will, of the crisis plan. So yes, resources shift in a crisis.
and particularly a cyber crisis. And if you can plan ahead and think through how are these resources gonna shift, you can identify the gaps in your staffing plans and maybe have other staff on board. I should also say that depending on the kind of cyber crisis that you experience,
The people you rely on, the external companies you rely on, may or may not be available. If it's a cyber crisis, for example, that hits your whole industry and you're not the biggest player in the industry or you haven't put relationships in place with some vendors who might help you recover, they may not be available at the last minute. They may be helping other people that are also experiencing a similar crisis. That would be something you could identify if you had done a tabletop exercise or some sort of planning exercise.
As you were giving this example, I was also thinking that very often in big organizations, we put so much trust in this one specific way of doing things, usually digitally. And what if that specific method is completely blocked? And then maybe there isn't a trusted way for us to reach even our colleagues or stakeholders. So
it begs the question, well, maybe we should diversify ways in which we're working so that when we are at risk, we don't have to rely on this one specific way of dealing with crisis.
I think it's really important to have multiple ways of working and multiple ways of communicating with all of your stakeholders, but particularly with your employees. Because if there's a cyber crisis, and this isn't all that much different than a physical crisis, other kind of crisis, but if there's something that brings down your normal modes of working, you want to have alternative modes
so that the business doesn't stop just because the crisis is unfolding. Again, I think preparation is the key here. So if you aren't actually able to use the normal modes of working, everybody comes in the office, the office is closed, computers are down, the network is down, you don't have your normal ways of communicating, then you want a culture where people know what it is they're supposed to do and how they're supposed to continue on. And often we don't even think about that. We figure that if there's a
If there's a cyber crisis, the cyber team will take care of it. Maybe some external vendors will come in and help us. Maybe the government will come in and help us. We don't actually think through the whole organization and what might be down and what they should or shouldn't do in the event of a cyber crisis. What are some of the things that people don't know about cyber threats and cybersecurity? So there are all types of cyber incidences that could occur from many different sources.
Not every cyber incident occurs because a bad guy decided to attack your company today, put a ransomware software into your system and all your systems are locked up. Oftentimes malware is somehow inserted into a system. It could be because a supplier unwittingly logged into your systems and
they had some sort of malware on their system that was transitioned over to your system. It might be because some employee clicked on a link or a phishing email that they shouldn't have clicked on and that introduced malware into the system. So malware can get into the systems in a number of different ways.
Sometimes it can be in your system a long time before you even know it's there. So thinking through the different ways that cyber vulnerabilities present themselves in your business and thinking about ways that you might notice them and building multiple layers of defense
so that you have different ways to recognize if something's in your system, different policies in place, different procedures. And one of the tools that I think is most useful for organizations is building a culture of cybersecurity. Many organizations, people think that cybersecurity incidents are handled by the cyber department, maybe even your IT leaders. But it turns out that every single person in an organization can play a role in helping keep the company more resilient, more secure.
For example, if you see something, say something. If you see a phishing email come across your desk, report it. Don't just not click on it, report it to your cyber people or to whoever the designated person is. If you notice that one of your colleagues is
leaving files open that somebody might inadvertently see that they shouldn't have seen, say something to them. Say it nicely, but say something to them. It's not inappropriate to help everybody around you be as secure as you are. And that starts to talk about the values, attitudes, and beliefs that organizations put in place
to raise the awareness and change the behaviors that people in the organization do that help keep them secure. So I personally believe that everybody in the organization can play an important role in keeping the company resilient and cyber resilient, cyber secure. And that's another tool that many organizations
are starting to put in place as ways to combat the way that malware might propagate in their organization. Let me talk just a minute about resilience. So I think today the major issue for organizations is not how do we keep the bad guys out,
But how do we build resilience so that if or perhaps when the bad guys get in, we have a plan in place for responding and recovering? You know, you could put forth a vision of wouldn't it be amazing if we had a cyber incident and nothing bad happened? We didn't lose money. We didn't lose our operations. We didn't have to shut down. Our reputation was intact. It'd be awesome if that happened. Well, that's not reality today. Reality today is if you have a cyber incident, there's probably going to be damage.
But a resilient company would have put in many mechanisms in place so that they could respond more quickly. It doesn't mean they're not protected. It means that they fought through the response and recovery piece of a cyber incident just as much as they fought through the protection and detection piece of a cyber incident. So it might mean things like putting
exercises in place so they plan. It's sort of like going to the gym. You go to the gym to build muscles. Well, if you never go to the gym and build muscles, when the time comes for you to have those muscles, you may have a problem. If you think you're going to be cyber secure but you never put in place the plans or the activities or the exercises to build those response and recovery muscles, then you're not going to be very resilient when the time comes if you have a cyber incident.
So I think we need a mind switch. We need a mind change, a mindset. Instead of focusing most of our resources on being protected, we need to think about building protections but also devoting a significant amount of resource to the response and recovery. Because I think it's highly likely that if your organization hasn't experienced a cyber incident, it will at some point in the future. And you don't want to wait until that incident occurs.
to then put your cyber crisis communication plan in place or your tabletop exercises in place or your phone list of who's gonna call whom or switching your resources around so that people know what their role is. I think we make our best decisions when we're not under stress. If you've put in place
the steps and the thoughts of what it would be to respond to a cyber crisis, then you have a much better chance of responding quickly. And maybe even responding that brings you to a higher level of operation than you were at before because you've practiced this and you know what you need to do and what's in place to get you back to at least operations, if not even better. That was Kerry Pearlson of MIT, the Massachusetts Institute of Technology.
Regulations. This is something you bring up in your report, the cybersecurity outlook and the fragmented nature. Companies have, particularly big multinational companies, have a lot of jurisdictions and regulations to deal with. Why is fragmentation of regulation such a problem? What might be done to improve things? Regulations, you know, I think it's on the one hand,
Most people across the board believe that regulations play a pretty significant role in terms of embedding baseline cyber resilience. In the absence of regulations, the incentives are not quite aligned towards investing in cyber resilience, right? So they play a very, very important role. But when you're thinking about fragmentation as a whole, it has significant costs for organizations who say that it
It can cause really, really big challenges as it pertains to maintaining compliance. 76% of CISOs who we polled at the annual meeting on cybersecurity actually believe that the fragmentation of regulations across different geographies has significant implications to compliance. Remind us what a CISO is? A Chief Information Security Officer.
There's kind of good news and bad news in the report. One thing that's possibly good news is that cyber resilience is becoming a competitive advantage. So I think what that means is if a company gets this right, it's a more valuable proposition to its customers. Tell us something about that. So absolutely, you know, as we were talking about cyber resilience, it's no longer a nice to have
I think organizations across the board need to invest in it. If we are looking at supply chains that are increasingly more interconnected, you're only as strong as the weakest link in the chain. I know this is a cliched phrase, but it is really, really true because of the impacts we see across the entire chain when one of the players is targeted.
So you need to ensure that you're looking at not just your own preparedness, you need to look at the preparedness of the ecosystem as a whole. And this entails several measures. For example, you need to be looking at vetting processes for all the players that you choose to do business with. So there are very...
stringent wetting processes that a lot of organizations undertake when they decide to do business. For example, Salesforce a couple of years ago actually said that they will not work with any organization that does not have multi-factor authentication.
simple step, but at the same time can be a significant boost for cyber resilience overall. So I think it's really, really important for organizations to think about how they're making the requisite investments, because even though organizations don't necessarily compete on cybersecurity, like you rightly said, if cybersecurity is done right, it has the ability to be a competitive differentiator. And it's so interesting what Kerry Pilsen was saying about
kind of stress testing the resilience of a company to cyber attack, what would you do in a cyber attack? Even to the point, as she mentioned, of did you print out your plan? Because if someone's locked up your computers, you won't be able to see your plan if that's where it is. Do you think companies are doing these stress tests and
in the same way that we should all be doing fire drills, making sure the fire alarms work. Do you think that's happening? Is it happening enough? And is that part of what you're doing here is to try and get companies to do that kind of thing? Look, we touched upon the element of inequity, right? So inequity also pans out in terms of the measures that organizations take towards preparing for when a crisis hits.
So the large organizations, I choose to believe that the vast majority of them are understanding the gravity of cyber risks, are doing drills from time to time, tabletop exercises, et cetera, in terms of how do you do things. Let's take a simple example, right? You started talking about the computers getting locked out. In certain live instances where I spoke with the executives who had been impacted, they said that one of the basic things was that because we have
all our phone numbers linked to the organization's directory. The moment the infrastructure shuts down, you no longer have access to the phone numbers as well, or you don't know the phone numbers of different people that you need to reach out. So this goes towards
telling you how much of preparedness needs to happen, how we need to have these fallback measures, etc. and invest in crisis training as a whole. But if you're thinking about some of the smaller organizations, I would argue, again, going back to the inequity dimension, maybe not a lot of consideration is being given to preparing for when these risks go live, right? So I think there's a lot that needs to be done.
Akshay Joshi, head of the Center for Cybersecurity at the World Economic Forum. Thanks for joining us on Radio Davos. Thank you very much. The Global Cybersecurity Outlook 2025 is available now to download. Link in the show notes. And please follow Radio Davos on your podcast app of choice, especially if you want to stay in touch with what's happening this year at the annual meeting 2025 in Davos. You can get loads more on that at wef.ch slash wef25.
and across social media using the hashtag F25. This episode of Radio Davos was written and presented by me, Robin Pomeroy, with reporting by Katrina Gordychuk. Editing was by Jerry Johansson. Studio production by Tess Kelleher. We'll be back next week, but for now, thanks to you for listening and goodbye.