Marsh & McLennan Advantage Insights logo
Conversations and insights from the edge of global business
Menu Search
Technology

Countering Cyber Threats in a Time of Conflict

A stylized image of servers with blowing red and blue lines connecting them

As the conflict in Ukraine enters another punishing week, companies and societies across the world face a heightened threat of cyberattacks. Russian state-sponsored actors have so far made no apparent attacks on institutions outside Ukraine but have, in the past, demonstrated the capability and willingness to target public and private infrastructure in neighboring states and beyond. And countless cyber criminals and other opportunists will seek to exploit the situation to launch malicious attacks for their own monetary gain. 

The risk of cyberattack is likely to grow as Western sanctions — which President Vladimir Putin has described as “akin to a declaration of war” — hit the Russian economy hard. The potential for harm is substantial. The NotPetya malware that Russia unleashed in Ukraine in 2017 spread to major companies around the world, causing an estimated $10 billion in damage. Corporations that have elected to cut or suspend operations in Russia in response to the invasion need to think hard about whether their cyber risk has increased. 

Governments and companies need to be vigilant in tightening their cybersecurity protocols and heightening defenses to counter these threats. Fortunately, organizations aren’t starting from scratch. They have invested heavily in cyber in recent years and, in adjusting to remote working during the pandemic, have overhauled security controls. Those efforts have been reinforced by closer regulatory scrutiny in the wake of recent attacks and new requirements from insurers seeking to deter ransomware attacks. Now, firms need to build on that progress and embed secure technology and procedures more widely.

Collaborate With Peers, Suppliers and Competitors

In today’s hyperconnected world, no organization can hope to find security by hunkering down alone behind its own walls. There is safety in numbers. Organizations also face increasingly common threats, as shown by the hack of network management software vendor SolarWinds. That attack, which the U.S. government attributed to Russia’s intelligence services, compromised the computer networks of numerous government agencies in the United States and Europe and scores of companies. That’s why companies need to cooperate with peers, suppliers and competitors. And the private sector needs to maintain a rich, relevant and active dialogue with the public sector to share information about threats, vulnerabilities and suspicious behaviors and formulate decisive practical plans for dealing with any attack. 

A new law signed on March 15 by President Biden seeks to increase intelligence sharing in critical U.S. infrastructure sectors. It requires industries in critical infrastructure sectors such as energy, water, transportation and communications to notify the government of any cyber incidents within 72 hours and report any ransomware payments within 24 hours.

The financial services sector has established a culture of collaboration through the Financial Services Information Sharing and Analysis Center. This cooperation has intensified since the United States, the European Union and other governments announced sweeping economic and financial sanctions on Russia, including a freeze on a significant chunk of the country’s foreign reserves and the removal of major Russian banks from the SWIFT payments network. Banks recognize that in the current environment, cyber defenses are essential to maintaining the stability of the financial system. Other industries, many of which have their own information and analysis centers, need to follow this example.

Use Every Tool in the Cyber Defense Armory

In recent years, organizations have invested substantially in cybersecurity, and again financial institutions have been in the vanguard. Spending on information security across the U.S. banking sector has increased at a compound annual rate of more than 15% in the last five years. During the pandemic, companies overhauled and upgraded security controls to account for different network access patterns using virtual desktop infrastructure, advanced multifactor authentication and data-loss prevention capabilities. Asset management firms have spearheaded the adoption of biometric-based access methods, significantly reducing the risk of breaches through compromised passwords.

As one CFO at a Fortune 500 enterprise recently remarked, ‘the business case for cyber investment is that we get to stay in business when the worst happens.’

Companies need to focus their efforts on maximizing the use of these tools, ensuring they are integrated effectively and configured for optimal defense. The insurance industry is serving as a catalyst here. In response to the surge in ransomware attacks in recent years, insurers have been pushing companies to adopt tools like multifactor authentication, endpoint detection and response tools, email filtering, and enhanced cybersecurity awareness training and incident response testing. Increasingly, these are table stakes for even obtaining cyber insurance coverage.

Notably, organizations cannot ignore basic cybersecurity blocking and tackling. This involves fundamentals such as ensuring that the configuration management database, the inventory of all IT services, software, and hardware assets, are up to date and that your teams have installed the latest software patches to address vulnerabilities. While tackling end-of-life systems is by no means a short-term fix, current circumstances reemphasize the need to continue to replace technology that’s not sufficiently cyber resilient against today’s increasingly malicious threats. 

Look Down the Chain

Recent attacks like SolarWinds have shown how vulnerabilities can exist deep in digital supply chains. Organizations need to engage proactively with suppliers to make sure they are taking the cyber threat seriously and adopting the same types of controls on authentication, access, controls, patch management and other sources of risk. 

Reliance on third-party tech, data and digital solutions is increasing as organizations call upon leading-edge capabilities they don’t have the talent, time, or appetite to build themselves. Given this increased dependency, the rules of engagement are changing. This means having more exacting requirements of third parties so that a given enterprise can be sufficiently comfortable in using its vendors. The typical body of requirements is increasingly stringent and demanding, encompassing areas ranging from malware and data protection policies to information classifications and incident management procedures.

Consider the Labor Force Flux

Companies also need to be vigilant about insider risk. The Great Resignation has affected cybersecurity and IT staffs as well as other areas of the workforce. Turnover is up, and many employees may be new and largely unknown to their colleagues. This can create key-person risk, where plans assume the presence of capable individuals or teams that may no longer be there. Therefore, it’s essential to verify that playbooks and associated procedures are sufficient based on current threats and that the right people are in place and prepared.

The labor force flux also provides an opportunity for disgruntled employees or bad actors. To guard against this risk, companies should review and as necessary tighten their policy on background checks, require password resets, make sure that employees’ access and privileges are consistent with their roles and be prepared to actively monitor for suspicious behavior.

No single step can guarantee protection against cyberattacks, but in recent years companies have learned a great deal about the threat, acquired many tools, and built expert teams to strengthen their defenses. With geopolitical tensions running high, organizations need to be fully prepared to mobilize and ensure they are using those tools effectively and collaborating across peers, suppliers and the authorities.

At critical times like this, historical investments in cyber risk management and security show their real value. As one CFO at a Fortune 500 enterprise recently remarked, “the business case for cyber investment is that we get to stay in business when the worst happens.”

Paul Mee

Cyber Risk Platform Lead at Oliver Wyman and Head of the Cyber Risk Initiative, Oliver Wyman Forum

Paul Mee leads the Oliver Wyman Forum’s cybersecurity initiative. He is a partner at the consulting firm Oliver Wyman and is the head of the firm’s Cybersecurity Practice. He has over 20 years of professional experience in helping organizations tackle strategically significant issues regarding strategy, governance, and information security. He leads the firm’s Cyber Risk Management value proposition.

James Cummings

Senior Advisor for Oliver Wyman

James Cummings is a Senior Advisor on Cyber Risk Management and Cyber Defense for Oliver Wyman. He is currently a Partner and Co-Founder of Next Peak, a cyber defense advisory and operational capacity building firm. He previously served as Chief Security Officer for JP Morgan Chase & Co. As a career military intelligence officer, he commanded full-spectrum cyberspace operations for the United States Air Force, and served as the Director of Homeland Defense on the National Security Council (the White House).

Get ahead in a rapidly changing world. Sign up for our daily newsletter. Subscribe
​​