Invasion of Ukraine increases cybersecurity crisis risk everywhere
By Tony Jaques Ph.D., Director of Issue Outcomes Pty. Ltd. and author of Crisis Counsel: Navigating Legal and Communication Conflict
As Russian shells and missiles smash into cities across Ukraine, a cyber-war is also underway. Although physical fighting is so far confined to just one country, the increased risk of cyber-crises is rapidly spreading far beyond. Invasion of Ukraine increases cybersecurity crisis risk everywhere globally.
For weeks before the invasion, Russian state and non-state actors were attacking online systems in Ukraine, shutting down government departments, banks and other businesses, just as they did before the invasion of Georgia in 2008 and Crimea in 2014.
Naturally Russia denied responsibility for the latest cyber-offensive, just like they repeatedly denied any planned invasion . . . right up until the first tanks crossed the border.
Now cybersecurity agencies around the world are warning government organisations and business leaders about the increased risk of cybersecurity crises originating from Russia. For example, the Australian Cyber Security Centre says cyber-campaigns aimed at Ukraine could impact Australian organisations through unintended disruption or uncontained malicious activities.
Similarly, Britain’s National Cyber Security Centre has called on organisations in the UK to “bolster their online defences following Russia’s further violation of Ukraine’s territorial integrity”. Comparable warnings have also come from USA, Canada and New Zealand.
America’s Cybersecurity and Infrastructure Security Agency has even published lists of vulnerabilities known to be exploited by Russia as well as their preferred cyber-intrusion campaigns and customised malware.
Most importantly, this is not some theoretical crisis risk. Don’t forget the Russian NotPetya virus in 2017 which was aimed at Ukraine but infected computer systems everywhere, causing an estimated $10 billion in damage globally. Or Russian ransomware attacks on Colonial Pipeline last May, which shut down fuel supplies along the east coast of America, and JBS Meats in June, which disrupted 47 facilities in Canada, US and Australia.
Sadly, in the face of such evidence and warnings, many companies still don’t have a firm understand of their cybersecurity risks – especially third-party risks in their business relationships and vendor/supplier networks. The 2021 PwC global cybersecurity survey of CEOs and other C-suite executives found 60% of C-suite respondents anticipate an increase in cybercrime in 2022. Yet, while 56% of respondents said their organisations expect a rise in breaches via their software supply chain, only 34% have formally assessed their enterprise’s exposure to this risk.
Moreover, the survey confirmed that proactive CEO engagement in setting and achieving cyber goals does make a difference. Most executives agreed educating CEOs and boards so they can better fulfill their cyber responsibilities is the single most important act for realising a more secure digital society by 2030.
What can organisations do to help minimise the risk of a cybersecurity crisis?
One answer is to implement measures such as the baseline mitigation strategies developed by Australian Cyber Security Centre, known as the “Essential Eight”.
- Application control: Ensure only secure applications can be executed.
- Patch applications: Promptly activate application patches released by a vendor.
- Configure MSOffice macro settings: Apply trusted document and trusted location functions.
- User application hardening: Use certificates and encryption protocols for secure transfer of information.
- Restrict administrative privileges: Implement restrictions as a key mitigation strategy.
- Patch operating systems: Promptly apply vendor operating system patches.
- Multi-factor authentication: Implement to prevent malicious access to a device or network.
- Regular backups: Back up constantly to the cloud or external storage devices.
Such action has always been essential. The increasing risk of cyber-crises triggered by war in Ukraine just makes it all the more urgent.
A Parting Thought
A lie told often enough becomes the truth.
Vladimir Lenin
Learn more about Reputation Risk, Cybersecurity Risk, and Crisis communication in Tony Jaques’ new book, Crisis Counsel: Navigating Legal and Communication Conflict.
“Crisis Counsel confirms Tony Jacques position as one of the industry’s foremost experts on issues and crisis management. In addressing the complex interactions between legal and communication crisis responses Dr. Jacques provides riveting case studies and practical advice. It highlights the financial and reputation risks of not effectively integrating communications and legal counsel. It should be on every communications practitioner’s reading list and companies should insist their in house and external legal counsellors read it.” – Noel Turnbull, Former Chair of Turnbull Porter Novelli, Adjunct Professor, RMIT University.
“Senior managers who find themselves in the C-suite for the first time, Crisis Counsel should be mandatory reading. Such specific legal and communications provocations are not covered in university management courses, and the introduction is replete with illuminating case studies and key takeaways. The author provides sage advice for Chief Executives who must ultimately make a decision based upon what they think is the right thing to do; often under pressure. Crisis team leaders and team members will find this book equally of value, as the more you know about it, the better you and the team will be.” – Jim Truscott, Director, Jim Truscott & Associates Pty Ltd, Perth, Australia
“For far too long, the role of lawyers in crisis management has been neglected. If discussed at all, it is often in negative terms. Tony Jaques adjusts this picture in masterly, yet eminently readable terms. His comprehensive discussion of apology in crisis management is likely to be a go-to source for years to come. This is a welcome book for anyone interested in how crisis-confronted corporations (and other organizations, too) can navigate the tricky legal waters of communicating under fire. For university teachers like me, it’s a rich source of well-researched case studies. A gem!” – Chris Galloway, PhD, Head of Pubic Relations, Massey University of New Zealand