As a growing number of governments around the world pull away from globalization, diplomatic and economic ties risk weakening. This could lead to nation-states feeling emboldened to carry out cyber attacks with less concern for damaging relationships that are already deteriorating and, in turn, could pose widespread risks for organizations.
A new report from FTI Consulting, Corporate Board Member and Diligent Institute found that while 79 percent of board members whose companies have international exposure beyond the United States view geopolitical risks as a threat to their business strategy, less than ten percent are prioritizing the management of geopolitical risks.
Consequently, boards and management teams should be prepared to face targeted cyber attacks with national security implications through a proactive approach that focuses on resilience. This approach includes ensuring a robust incident response plan is tested and implemented, critical assets are protected and third parties with network access meet cybersecurity standards.
For boards of directors, this could mean revising the company’s vulnerabilities to falling prey to these growing threats and assessing the potential impact of a breach, including financial losses, operational outages, compliance penalties and reputational damage.
Here are some of the potential threats companies face in this environment:
- Cyber attacks on critical infrastructure. These are targeted attacks that have the potential to disrupt essential services such as water or electricity and weaken economic stability by impacting financial systems, thereby causing loss of consumer confidence.
- Targeting of senior leadership and key decision makers. The mobile devices of executive-level stakeholders and decision-makers could increasingly become the target of advanced nation-state actors, who are seeking confidential and sensitive information stored on these devices. In addition to the damage such an attack can cause on the company and individuals targeted, the stolen information can also become a national security threat, for instance by enabling espionage campaigns.
- Intellectual property (“IP”) theft. These attacks are typically aimed at sensitive technologies, defense innovations and cutting-edge research and development. When nation-states steal and replicate proprietary information, they diminish not just a company’s competitive advantage but also a nation’s, both technologically and militarily. The loss of sensitive or classified information has the potential to negatively impact national security interests through the development of adversarial capabilities and countermeasures.
- Supply chain vulnerabilities. Cyber attacks focused on vital supply chains, especially those connected to defense, telecoms or manufacturing, could cause essential systems to be manipulated or disrupted. These impacts threaten national security by restricting access to vital goods and products or enabling espionage through hidden backdoors that nation-states can exploit once compromised items reach consumers and organizations. According to our survey, 80 percent of board members at U.S. public companies identified renewed supply chain disruptions as a risk, highlighting the vulnerability of supply chains.
How Boards Can Prepare
A potential increase in national security-related cyber threats highlights the important role of boards in ensuring that proactive cybersecurity risk management is a strategic business imperative.
However, according to the board members participating in our survey, incident identification and disclosure processes have been reviewed by only 51 percent. As noted in the report, “this indicates many boards are not helping support the implementation of protections, leaving organizations vulnerable to cyber attacks and regulatory penalties.”
Boards can help their organizations prepare by focusing on the following areas:
- Supporting a culture of security across the organization. Foster employee awareness regarding security risks by encouraging accountability at all levels and providing continuous training and education. Demonstrate the importance of this culture by leading from the top, including considering national security risk in governance decisions and setting a responsible tone.
- Establishing a risk management framework that takes into consideration national security issues. Develop a holistic risk management framework that accounts for national security threats so that they can be properly assessed and mitigated. This framework should not remain static but instead be regularly reviewed for evolving threats and updated as needed. Beyond this framework, the organization’s policies and procedures should also compensate for national security threats.
- Strengthening protections around critical assets. Invest in protection measures like network segmentation, multifactor authentication and endpoint detection to secure critical assets and limit access if breached. Conducting regular cybersecurity program assessments is also necessary to identify vulnerabilities and allow for adaptations based on the evolving threat landscape. Critical assets can be further protected by ensuring that sensitive IP is encrypted at rest and in transit and by deploying data loss prevention solutions to prevent unauthorized data exfiltration.
- Understanding the evolving regulatory environment. Ensure compliance with regulations that impact national security threats, such as export controls, foreign ownership and investments and sensitive technologies. As the threat landscape evolves, so does the regulatory environment, making it vital for boards to proactively adapt and ensure compliance with new obligations.
- Implementing tools to address national security-related issues. Invest in the tools necessary to monitor, identify and remediate national security-related threats, like a zero-trust framework and insider threat monitoring. These capabilities will limit unauthorized access and help identify suspicious network activity.
- Engaging advisors to collaborate on your unique threat profile. Work with experts who have direct experience with both national security threats and complex regulatory environments and can provide tailored assistance. Collaboration is essential when facing targeted cyber attacks.
- Preparing for external communications. Create and practice a crisis communications plan built on pressure-tested scenario planning, accounting and ensuring readiness for various scenarios and rapid execution. This process should also include identifying reporting obligations in advance, so that relevant parties are informed in the event of a national security incident.
Rising geopolitical tensions and an expected increase in cyber threats from nation-states mean that boards must be proactive to keep up. They must recognize that enhancing cyber resilience goes beyond compliance; it is a tactical obligation necessary to protect critical assets, maintain business operations and safeguard national security interests.
By prioritizing risk management and implementing the preparation strategies outlined in this article, boards can better protect against escalating nation-state cyber threats, enhance supply chain security and confidently navigate a complex global landscape. A well-prepared board will be equipped to mitigate imminent cyber risks and strengthen resilience against future threats with the potential to disrupt national security.
