Historically, one of the biggest challenges in information security has been convincing leaders in business and government that cybersecurity impacts more than just your data and system, and smart investments today can lead to better general outcomes tomorrow.
Ignoring your CISOs pleadings may yield some cost benefits or convenience in the short-term, but over the long-term the consequences can materially hurt your bottom line, your long-term financial health and your ability to deliver on your mission.
A new analysis from credit ratings firm Moody’s may provide fresh ammunition to cyber employees during budget talks, finding that cybersecurity protections are becoming increasingly connected to the overall financial and economic health of sovereign nations.
Moody’s examined 143 sovereign entities, measuring a variety of indicators around their IT and cybersecurity maturity. Using the International Telecommunication Union Global Cybersecurity Index, a United Nations’ office that measures cybersecurity strength across five key areas (legal, technical, organizational, capacity development and cooperation) found that more credit-worthy sovereign nations tended to have stronger cybersecurity rankings, more effective institutions and access to greater resources and human compared to emerging market nations.
The resulting analysis “suggests that a sovereign's cybersecurity strength is strongly correlated with economic and institutional strength, with more highly-rated sovereigns demonstrating stronger overall cybersecurity positions, despite higher exposure to cyber risk,” Moody’s determined.
Nations and other sovereign entities with more developed information technology infrastructures tend to have higher credit, and not surprisingly, this can leave those same countries more exposed to cyberattacks and other digital threats due to the increased attack surface. But this digital maturity also allows organizations inside those nations access to more sophisticated cybersecurity resources, like advanced telecommunications infrastructure or a highly qualified human workforce.
That access apparently makes a huge difference — even though countries with lesser-developed IT have fewer systems and devices to hack, they tend to be more vulnerable to cyber threats overall.
The United States is a prime example. While the country’s public and private sectors are highly digitized (and thus a frequent target of hackers), efforts by agencies like the Cybersecurity and Infrastructure Security Agency to coordinate with critical infrastructure to shore up the defenses of privately owned critical infrastructure and a steady focus on anti-ransomware measures have helped build resiliency and confidence into these sectors of the economy.
Nations in the Five Eyes intelligence alliance (Australia, Canada, New Zealand, the UK and the U.S.), the European Union and others that have enacted proactive cybersecurity measures in response to the rise of ransomware or the war in Ukraine have seen similar financial benefits.
“As a result, cyberattacks are shifting to other regions with less cyber preparedness and resiliency, particularly to issuers in emerging markets,” Moody’s wrote.
As a counterexample, Moody’s cites two emerging market countries, Montenegro and Costa Rica, that experienced crippling ransomware attacks last year that disrupted or halted government services, international trade, healthcare services and other sectors and have yet to fully recover.
It’s not that these countries don’t pay attention to cybersecurity; in fact, Moody’s notes that emerging market nations tend to perform many of the same high-level strategic tasks — like developing national cybersecurity strategies and targeted laws to reduce their exposure to hacking — that higher credit nations do. The difference likely lies in how those initiatives are implemented and the overall strength of institutions and the resources they can bring to bear to address the underlying problems.
“The results underscore that sovereigns with weak economic strength, which reflects the relatively small size and low wealth levels of their economies, tend to have less economic resources available to dedicate per capita to national cybersecurity efforts, contributing to lower overall cybersecurity strength,” Moody’s assessed. “Meanwhile, sovereigns with stronger institutions and governance strength tend to have relatively stronger cybersecurity positions.”
While emerging market nations may not rate as highly as some more developed countries, governments and sovereign nations overall tend to be more resilient in the face of cyberattacks compared with other sectors. In fact, after Costa Rica experienced a pair of ransomware attacks in April and May 2022, Moody’s characterized the attacks as “a major test” of the country’s cybersecurity defenses and institutional reliance that the nation was able to pass, even as it continued to deal with lingering service disruptions.
“Even though the government was unable to prevent the attacks, it adopted ad-hoc solutions that appear to have been effective in confronting the problems that emerged from the cyberattacks,” Moody’s wrote in a brief last year.