Search
Preserving security has evolved into a monumental effort for organizations. Whether they’re manufacturing a product, financing a development, or administering a public program, government and business leaders alike face a volatile geopolitical environment that brings an overwhelming number and variety of global risks and threats to their front door.
Could a business partner’s actions be violating new US sanctions related to war across the globe? Could a small network vulnerability expose trade secrets to a nation-state actor? Might criminals be circumventing fraud monitoring systems with synthetic identities? Could supply chains’ integrity be punctured?
Our interdependent global economy coupled with technology’s rapid development, while offering many benefits, nevertheless creates indisputable complexities and exposes organizations to a tinderbox of unforeseen risks. Adversaries that were once too far away and under resourced to threaten a multinational corporation or government agency now represent a clear and present digital danger. Rival governments can be seen engaging in cyber espionage against public and private networks to disrupt, threaten, or endanger defense initiatives and programs, critical infrastructure, intellectual property, and undermine economies. increasingly complex sanctions, export controls, and other measures that governments leverage against these threats and others create an array of regulatory risks.
In the first part of this two-part series, we examine why preserving security has become more complex in this global economy, new challenges and opportunities, and how organizations are fighting back against more sophisticated bad actors.
Today’s unprecedented, dynamic, and rapidly metastasizing threat-heavy geopolitical environment is one of five interconnected global trends that present government and commercial entities with escalating challenges. We’ve identified Reimagining Resilient Communities, Accelerating Innovation and Tech, Optimizing an Adaptable Workforce, Maximizing Data, and Geopolitical Risks and Preserving Security as megatrends: forces that are occurring on a global scale and driving the rapidly evolving complexities of the world today.
To preserve security in this geopolitical environment, organizations require in-depth knowledge of not only cybersecurity, fraud, and sanctions, but also the overlapping, related megatrends. They need the expertise to execute effective, practical solutions that allow leaders to navigate these interconnected challenges.
Understanding the full scope of any organization’s geopolitical risk landscape can appear to be an overwhelming requirement. Governments and businesses face three primary challenges to Preserving Security: cybersecurity, fraud, and sanctions.
Enterprise leaders are largely aware of cybersecurity and fraud as ever-present risks. It’s the depth and breadth of these risks that organizations are challenged to navigate. Cyber adversaries are creative and sophisticated. Whether nation-states, criminal gangs, or individuals driven by ideology or financial gain, they can spend years and enormous resources building an attack. But resource-strapped bad actors can also evolve and innovate at lightning speed.
Key cybersecurity adversaries targeting public and private entities today include:
Nation-State Actors — The US Cybersecurity and Infrastructure Security Agency (CISA) has classified China, Russia, North Korea, and Iran as supporting some “advanced persistent threats” to the US government and private sector.1 The Office of the Director of National Intelligence’s 2023 Annual Threat Assessment singled out China as “the broadest, most active, and persistent cyber espionage threat to US Government and private-sector networks.”2
Hacktivists — The global cybersecurity non-profit FS-ISAC cited hacktivism—individuals and groups motivated by an intrinsically just cause—as a key threat trend in a 2023 report.3 It attributed the rise of hacktivist threats in part to tensions surrounding the Russian invasion of Ukraine.
Financial Criminals — Financial fraud remains a primary driver of cybercrime. The FBI reported $10.3 billion in victim losses to its Internet Crime Complaint Center in 2022.4 A 2023 report estimates global losses of $8.15 trillion to cybercrime in 2023 and expects that annual total to rise to $13.82 trillion in 2028.5
Cybersecurity vulnerabilities can also pass from one system to another, such as in the case of supply chains, in which one partner can—knowingly or unwittingly—pass a virus to another and continue to pass it along further. Organizations must not only account for their departmental and operational cybersecurity but also understand the security of their partners, even multiple layers deep into their third parties’ value chains and their partnerships.
Zero trust architecture (ZTA) and identity and access management (IAM) have gained traction in response to this complex cybersecurity risk environment. President Biden’s 2021 executive order mandating that the federal government advance toward ZTA set a new standard for modernizing cybersecurity practices. Over the following year, the percentage of organizations with an implemented ZTA initiative jumped from 24% to 55%, according to a survey by IAM technology provider Okta.6
While many organizations have prioritized cybersecurity technology and policies, a lack of governance and other key elements to Preserving Security can limit the impact of those investments. Without things like consistent enterprise-wide implementation, as well as continual risk assessment and prioritization, vulnerabilities can continue to persist throughout the enterprise.
Even when leaders can properly assess their risk and develop applicable cybersecurity governance, risk, and compliance (GRC) programs, the response and execution can remain a challenge. Workforce and cyber skill shortages—a key theme in the Optimizing an Adaptable Workforce Megatrend—as well as budget constraints can make comprehensive cybersecurity programming seem unattainable without guidance from professionals who have solved these challenges before.
As the global landscape has grown more complex, so have the tools governments use to navigate threats to national security, the economy, and foreign policy goals. The US government now sanctions more countries, entities, and individuals than ever before and at an unprecedented pace.
Even before Russia’s Ukraine invasion, the US Treasury’s Office of Foreign Assets Control (OFAC) reported 9,421 sanctions in use in 2021, an increase of 933% since 2000.7 This makes international business more complex for both US companies, especially those with overseas interests, and foreign companies doing business in the US. Every new name added to OFAC’s sanctions list can potentially put existing business relationships and partners in violation of US law.
Economic sanctions against Russia since the 2022 invasion have particularly challenged financial institutions. Because these sanctions are so targeted, and financial institutions’ international relationships are so complex, some organizations have needed to invest additional resources to undertake the increasingly complex due diligence to ensure they are only interacting with authorized third parties, steering clear of sanctioned or otherwise prohibited entities and persons.8
Complicating organizations’ efforts to comply with sanctions are bad actors’ innovative ways of evading them. OFAC has reported attempts to evade Russian sanctions through third-party intermediaries or transhipment points meant to disguise the identity of a sanctioned individual or entity.9 This can make organizations’' good-faith efforts to comply with those sanctions ineffective. The same sort of cat-and-mouse game plays out with many others seeking to evade or obscure sanctions and other trade restrictions.
In the face of ever-changing sanctions, financial institutions and other organizations must ensure their compliance programs have the capacity and agility to quickly enforce new sanctions and commerce-related prohibitions, apply asset-tracing and-freezing requirements, and adjust their risk management processes.
While the combination and rapid evolution of these threats can seem overwhelming to an organization, having the right strategies, programming, and governance are the key to success.
In the next Preserving Security article, we explore strategies that can not only elevate a company's security but also make the process far less complicated.
1. Cybersecurity and Infrastructure Security Agency, “Advanced Persistent Threats and Nation-State Actors,” US Department of Homeland Security. https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats-and-nation-state-actors.
2. Office of the Director of National Intelligence Reports and Publications 2023, “2023 Annual Threat Assessment of the US Intelligence Community,” Office of the Director of National Intelligence. https://www.odni.gov/index.php/newsroom/reports-publications/reports-publications-2023/3676-2023-annual-threat-assessment-of-the-u-s-intelligence-community.
3. FS-ISAC Newsroom, “Geopolitical Tensions Enables Increased Hacktivist Cyber Threats in 2022,” FS-ISAC. https://www.fsisac.com/newsroom/pr-navigatingcyber2023.
4. FBI Internet Crime Complaint Center, “Federal Bureau of Investigation Internet Crime Report 2022,” FBI. https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf.
5. Ani Petrosyan, “Estimated cost of cybercrime worldwide 2017-2028,” Statista. https://www.statista.com/forecasts/1280009/cost-cybercrime-worldwide.
6. Okta, “The State of Zero Trust Security 2022,” September 2022. https://www.okta.com/resources/whitepaper-the-state-of-zero-trust-security-2022/
7. US Department of the Treasury, “The Treasury 2021 Sanctions Review,” October 2021. https://home.treasury.gov/system/files/136/Treasury-2021-sanctions-review.pdf
8. Thomson Reuters, “The Fog of Sanctions: Global banks and businesses face unprecedented challenges in applying measures against Russia,” 2022. https://www.thomsonreuters.com/en-us/posts/wp-content/uploads/sites/20/2022/07/Russia-Sanctions-White-Paper-2022.pdf
9. US Department of the Treasury News/Press Releases, “With Over 300 Sanctions, US Targets Russia’s Circumvention and Evasion, Military-Industrial Supply Chains, and Future Energy Revenues,” US Department of the Treasury, https://home.treasury.gov/news/press-releases/jy1494.
Guidehouse is a global consultancy providing advisory, digital, and managed services to the commercial and public sectors. Purpose-built to serve the national security, financial services, healthcare, energy, and infrastructure industries, the firm collaborates with leaders to outwit complexity and achieve transformational changes that meaningfully shape the future.