WEF Global Cybersecurity Outlook 2024 reveals growing cyber inequity, impact of emerging technologies

The World Economic Forum (WEF) released Thursday its Global Cybersecurity Outlook (GCO) 2024, a collaborative effort with Accenture. The report analyzes upcoming cybersecurity trends and their potential impact on economies and societies. It also sheds light on significant findings, emphasizing the growing cyber inequity and the profound influence of emerging technologies.

The report also revealed that in various workshops held for its creation, discussions on resilience placed significant emphasis on the criticality of operational technology (OT) security.

“Legacy systems were most pronounced in organizations with an operational technology (OT) footprint,” the WEF wrote in its Thursday report. “This issue becomes more apparent when looking at how responses differ between cyber and business leaders. Following on from the fact that the gap between cyber and business leaders is closing, the main conclusion of the GCO 2023 report, both groups said that resource or skills gaps were the highest barriers to cyber resilience (38% of business leaders and 32% of cyber leaders).”

It added that for security leaders, securing legacy technology (29 percent) and cultural resistance to change (25 percent) followed close behind. Interestingly, this is where business leaders’ paths diverged, with 14 percent and 8 percent respectively agreeing with security leaders on these challenges. Both securing legacy technology and cultural resistance to change stem from issues with resources and skills gaps. 

The report also pointed out that it appears that in the view of security leaders, these challenges cannot be addressed until they have the people and skills with which to address them. For business leaders, these challenges are more tenable, as their work is not immersed in the day-to-day tasks of designing for cyber resilience. 

“The barrier will become even higher as organizations rush to adopt generative AI and other elements of emerging technology. However, most organizations either do not upgrade older systems or do so much more slowly than the speed at which they introduce more tools and new technologies,” WEF said in the report. “This in turn expands their technological footprint and adds risk. What is more, larger organizations weighed down by a greater and older technology burden will be less able to assist and monitor the smallest organizations in their supply chain. This would strain support mechanisms in the ecosystem and exacerbate the inequalities discussed in the previous section,” it added. 

The WEF report highlighted that there is growing cyber inequity between cyber-resilient organizations and those that are not. “The number of organizations that maintain minimum viable cyber resilience is down 30%. While large organizations demonstrated remarkable gains in cyber resilience, SMEs showed a significant decline. More than twice as many SMEs as the largest organizations say they lack the cyber resilience to meet their critical operational requirements,” it added. 

Emerging technology will exacerbate long-standing challenges related to cyber resilience, as this will in turn accelerate the divide between the most capable and the least capable organizations, the agency revealed. “As organizations race to adopt new technologies, such as generative artificial intelligence (AI), a basic understanding is needed of the immediate, mid-term, and long-term implications of these technologies for their cyber-resilience posture.” 

Also, fewer than one in 10 respondents believe that in the next two years, generative AI will give an advantage to defenders over attackers. Approximately half of executives say that advances in adversarial capabilities (phishing, malware, deepfakes) present the most concerning impact of generative AI on cyber.

The report also focused on the cyber-skills and talent shortage that continues to widen at an alarming rate. Half of the smallest organizations by revenue say they either do not have or are unsure as to whether they have the skills they need to meet their cyber objectives. Only 15 percent of all organizations are optimistic that cyber skills and education will significantly improve in the next two years, while 52 percent of public organizations state that a lack of resources and skills is their biggest challenge when designing for cyber resilience.

WEF pointed out that an alignment between cyber and business is becoming more common. “Organizations (including both business and cyber leaders) must continue to invest in and maintain an awareness of essential security fundamentals. 29% of organizations reported that they had been materially affected by a cyber incident in the past 12 months. The largest organizations say that the highest barrier to cyber resilience is transforming legacy technology and processes.” 

It also identified that there is a clear link between cyber resilience and CEO engagement. This year, 93 percent of respondents who consider their organizations to be leaders and innovators in cyber resilience trust their CEO to speak externally about their cyber risk. Of organizations that are not cyber resilient, only 23 percent trust their CEO’s ability to speak about their cyber risk.

WEF also found that cyber ecosystem risk is becoming more problematic. “For any organization, the partners in its ecosystem are both the greatest asset and the biggest hindrance to a secure, resilient, and trustworthy digital future. 41% of the organizations that suffered a material incident in the past 12 months say it was caused by a third party.” 

It added that 54 percent of organizations have an insufficient understanding of cyber vulnerabilities in their supply chain. Even 64 percent of executives who believe that their organization’s cyber resilience meets its minimum requirements to operate say they still have an inadequate understanding of their supply-chain cyber vulnerabilities. Also, 60 percent of executives agree that cyber and privacy regulations reduce risk in their organization’s ecosystem, up 21 percent since 2022.

In its conclusion, the WEF report said that ​​the struggle to maintain high-quality – or even adequate – cyber-resilience capability is fast becoming a zero-sum game. 

“The ability to cultivate best practices, to compete for sufficient talent and, in some cases, simply to afford the right tools and services, is increasingly determining which organizations win and which lose out,” WEF identified in its report. “As a result, the organization’s most lacking can least accomplish it. A secure supply chain requires all organizations to meet minimum viability for a truly secure ecosystem, but the inequity that exists today makes it vulnerable. Yet it does not have to be this way and there are many reasons to be optimistic about the near future.”

It added that prudent cyber-resilience practices – the fundamentals that cyber professionals and prescient business executives have learned are wise – are slowly but surely working. Nonetheless, something must still change the current trajectory. 

“Otherwise, as seen throughout 2023, early adoption of new technology by leading-edge organizations, the struggle by those on the underside of the curve to keep pace with foundational capabilities for trust and security, and fragmented incentives within digital ecosystems will accelerate digital disparity in the coming years,” the WEF wrote in its report. “Furthermore, the interconnection of the digital economy makes it inevitable that the negative effects will compound, affecting everyone. Therefore, everyone needs to work together to encourage sustainable capability for the future – including developing the right priorities and organizational culture while providing for equitable access to talent, technology, and security tools.” 

Lastly, the agency pointed out that raising systemic resilience – all organizations closing the inequities that divide and improving the resilience of what connects – is not only the most pressing requirement, it is the greatest responsibility.  

In November, the WEF published a paper providing guidelines to ensure cybersecurity in the OT environment, at a time of increasing digitalization and convergence of the OT and IT (information technology) environments. Ensuring OT cybersecurity is fundamental for the continuation of industrial operations, which are essential for keeping global economies and infrastructures running.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.