Cyber Threats Are Intensifying. Policymakers and Businesses Need a New Strategy.

Increasing digitization, the explosion of the Internet of Things (IoT/IIoT), the expanding use of hybrid cloud, the pace of technology innovation and adoption, blockchain, AI, 5G and hyperconnectivity all contribute to an environment increasingly vulnerable cyber attack and/or disruption.

In fact, it has recently been reported that Cybercrime is set to cost businesses more than $5 trillion. Ransomware payouts shattered records in 2021. Small businesses are vulnerable, too—six in ten go out of business within six months of experiencing an attack. Governments have also have suffered humiliating and damaging breaches, such as the SolarWinds hack, which purportedly originated with foreign intelligence, and the Iranian cyber-attack that breached sensitive voter databases and spread misinformation about the 2020 election.

And yet, despite the urgency of the threat, two-thirds of chief information security officers (CISOs) say their businesses are not prepared to face cyber-attacks.

It is clear that business as usual isn't working. An approach that focuses strictly on cyber defense will not suffice. Today, it is no longer a question of whether cyber attackers will breach our defenses, but when they will break through and how much damage they will do. Hackers only need to be skilled (or lucky) enough to break through just once; businesses and governments would need to fend off 100 percent of the constant attacks to remain safe—a hopeless proposition.

Just as our approach to COVID has shifted from focusing only on prevention to embracing a broader strategy that also includes managing its inevitable impact, cybersecurity must also adopt a new posture. It's time to embrace a comprehensive strategy for cyber resilience—not just cyber security. Cyber resilience means anticipating, protecting against, withstanding, and recovering from attacks on cyber-enabled services. It goes beyond conventional cyber security and emphasizes continuity and recovery, because eventually, attackers will penetrate our defenses no matter how good they are.

These cyber incidents affect all of society, spreading uncertainty and risk among the general public, governments and commercial markets alike. Therefore to effectively keep the attackers at bay and reduce negative consequences of these incidents, the public and private sectors should together embrace a comprehensive approach to both defending against and recovering from cyber attacks. We must make 2022 the year we implement a whole-of-economy cyber resilience strategy. The business community and policymakers must align on a consistent set of cyber resilience principles to ensure that our entire economy and critical institutions are prepared for future attacks.

That starts with building on the steps taken in 2021. Last year, as part of the Infrastructure Investment and Jobs Act, Congress passed $1.9 billion in cyber resilience funding for the power grid, including $100 million to support organizations recovering from cyber-attacks. Public and private sector leaders should invest in recovery and continuity from cyber-attacks throughout the economy, not just in the energy sector.

In August, the Biden administration announced that it would work with several major companies, including Google, Microsoft, and IBM, to establish a new framework for improving cybersecurity in the technology supply chain. Policymakers should continue these efforts with frameworks for other industries as well, especially ones like financial services and health care, through the same collaborative process. This process should be conducted in partnership with governments and business around the world, to ensure a consistent protective posture and avoid dysfunctional balkanizations of standards and practices.

Time is of the essence as the risks continue to grow. The world is embarking on digital transformations at a furious pace. This creates new opportunities as well as new risks, and organizations must quickly follow through on their cyber resilience commitments to manage these risks.  At the same time, new technologies like AI, blockchain, and the Internet of Things are growing rapidly and offering cyber attackers more entry points into our lives, expanding what cyber experts call the "attack surface."

One of the greatest resources we have in the battle against cyber risks is perhaps the easiest to overlook: human talent. Jen Easterly, Director of the Cybersecurity and Information Security Association (CISA), says that investing in human capital is "the most important thing we can do" to address cyber threats. Over half of business leaders say their organizations lack cyber skills, making them vulnerable to attack. And yet, millions of cybersecurity jobs remained unfilled.

For our part, Kyndryl has aligned around the principle of cyber resilience in managing risk. We have nearly 90,000 experienced team members across 63 countries, many of whom specialize in cyber resilience as a service. We've filed more than 3,000 patents, and we've served 75 of the Fortune 100 companies. We at Kyndryl stand ready to work with government, private sector companies and organizations of every kind to ensure a safe and resilient global economy.

We must always remember that prioritizing cyber resilience does not mean being overcautious or bringing business to a screeching halt. On the contrary, building cyber resilience empowers leaders to take smart risks and aggressively pursue their ultimate objectives. Cyber resilience doesn't constrain us—it gives us the freedom to do the critical work at hand.

The world is changing fast and we are all in it together. We should make 2022 the year that the business community and policymakers collectively embrace cyber resilience principles and prepare our economy and democratic institutions to survive and thrive amidst the threats that await us.