The Geopolitical Influence on Business Risk Management
Report Maps Out Ten Major Geopolitical Risks That Businesses Will Face in 2019
When cybersecurity first emerged as a discrete profession, it was siloed. It was a black box profession outside of the day-to-day running of the business: its purpose was simply to protect the business. Security is now better integrated with IT. It started with a brief to protect the existing infrastructure, but is now — through SecOps — involved in building security-by design into new applications.
At the business level, security now has the ear of the board, and sometimes has a seat on the board. This is all progress, but it mustn’t stop there. Business is increasingly global in nature. That takes it into different cultures and different jurisdictions and different geopolitical risks. The CISO now needs to be included in the geopolitics of business.
VerSprite is one of the few companies that combines geopolitical risk with cybersecurity. In a newly published report, it maps out ten major geopolitical risks that businesses will face in 2019. Some of these will directly concern the security team, some obliquely, and some will more concern other departments.
The five subjects with direct cybersecurity relevance comprise: government restrictions on hardware sourcing; expanding regulatory control that differs between jurisdictions; increasing fines from GDPR; blockchain in the supply chain; and death by malware.
The five remaining risks that have minimal or no direct relevance to the security team comprise: global economic slowdown; trade wars; problems with China’s Belt and Road initiative; natural disasters/climate change; and moral hazard (such as the #MeToo movement).
The potential for government restrictions on hardware sourcing can apply both at home and abroad. China has an increasing preference for locally sourced hardware. Western governments are increasingly banning China’s Huawei from telecommunications projects. In the UK, where Huawei has long been used by BT, and where the UK government has special access to Huawei source code at ‘the Cell’, BT has nevertheless banned the use of Huawei equipment for their 5G rollout and is phasing Huawei out of its core networks.
The security team needs a geopolitical risk understanding when helping to source new purchases, and must be ready to source and test alternatives whenever and wherever necessary.
Increasing data and privacy regulations throughout the world, differing from one jurisdiction to the next, need to be closely monitored. “Already,” states the report, “more than 80 countries regulate data, and dozens more are considering legislation, increasing the burden on companies that tend to operate in dozens of countries and will be forced to comply with dozens of sometimes competing regulations.”
While the security team is rarely solely responsible for such compliance requirements, it is responsible for ensuring that security controls can deliver compliance. This requires an understanding of the global geopolitical climate to ensure that the company does not heavily invest in a technology that might be inadequate in some regions within a short period of time. “Vendors and third parties who currently use a banned technology or product, or which fail to abide by demands to use or refrain from using certain technology,” warns VerSprite, “will be forced to transition or risk going out of business.”
GDPR is a specific threat: it is changing the nature of risk management. In the past, large companies could afford to ignore data privacy regulations where maximum fines were limited to less than a day’s (sometimes far less) profit. By linking fines to a percentage of a year’s global revenue, the financial risk can no longer be ignored. The potential fines for big companies like Facebook and Google have suddenly leapt from a few hundred thousand dollars to billions of dollars.
VerSprite expects GDPR prosecutions to rise in 2019, and for non-European countries to adopt legislation similar to GDPR. This presents multiple threats. Many companies still do not understand GDPR, and/or erroneously believe they are not subject to it. Secondly, it is possible that some countries with GDPR-like legislation will use the huge fines as a way of suppressing foreign companies to promote indigenous companies. All of this will need to be known and understood by the security team in order to ensure compliance wherever these laws are found.
Blockchain, particularly in the supply chain Mitigating Risk of Supply Chain Attacks, is also considered to be a geopolitical risk — primarily because its applicability is poorly understood. A primary problem is that while blockchain can be used to secure what we can call the ‘chain of custody’, it does not secure the product itself. But it might provide a false sense of security.
Furthermore, VerSprite questions one of the primary arguments for the use of blockchain technology — financial savings. These savings through much lower transaction costs need to be judged against “the slow pace of transactions, the increased costs of running multiple nodes, and repeated forks, as well as major hacks.” VerSprite believes that a thorough understanding of the geopolitical threats to international supply chains is necessary before a business can decide between blockchain or more traditional methods of mitigation.
The final security-relevant geopolitical threat is the ultimate: death by malware. It is only a matter of time before malware such as ransomware is directly attributable for someone’s — or many people’s — death. SamSam has made millions out of attacking healthcare institutions. So far, it has not caused the death of any patients; but it could. SamSam has been delivered by two Iranian citizens. It is not currently known whether these hackers were affiliated to the Iranian government, but their targets were certainly in ideologically opposed countries.
Iran is also believed to be behind wiper attacks against Saudi Arabia, while the destructive NotPetya outbreak is confidently believed to have been started by Russian military hackers. Whether politically motivated or not, ransomware has the potential to cause death — and potentially multiple deaths if it gets into the critical infrastructure.
“Businesses that fail to take the threat seriously will find themselves unable to operate if targeted by ransomware demands that exceed available funds,” warns VerSprite. “Lawsuits may devastate even those who manage to pay the ransom, if injuries or deaths occur while the facility is incapacitated and incapable of fulfilling its responsibilities.”
Modern business is global, encompassing multiple jurisdictions and countries that may not be politically aligned with local attitudes. Policies and laws in these foreign countries can change rapidly — and it is VerSprite’s contention that only a geopolitical understanding can ensure the continued smooth-running of large multi-national companies.