Supercharged trends in digital transformation, cloud computing and other forms of remote working and emerging technologies are enabling companies to operate with seamless global connectivity.

This is making organisations far more agile than ever before, but at the same time leaving them hugely vulnerable to the growing threat of cyber-attack.

Increased geopolitical tensions have far-reaching implications for global trade and commerce while also shaping evolving cyber-threats. Rising gas prices, semiconductor shortages, inflation and unstable stock markets—these all raise questions about firms’ competitive advantages.

Generating effective strategies to counter these challenges is problematic. Cyber concerns are critical issues for wealth-creation organisations and nation states.

In addition, the use of cyber-weapons in geopolitical conflict has become tantamount to declaring war. An increased emphasis on surveillance, espionage, disruption and destruction is overtaking dialogue and diplomacy.

Nations use cyberspace as a defensive and offensive strategic platform during geopolitical differences. Exploiting cyberspace further allows nation-states and rogue groups to gain a foothold within critical industries, exploiting information platforms and destabilising important computer functions in the process.

Serious damage

The impact, frequency, and intensity of ransomware has increased significantly, presenting companies with financial, regulatory, operational and reputational challenges which, in some instances, are impossible to recover from.

Organisations must be prepared to plan and develop cyber-incident response plans. Businesses need to assess their exposure to ransomware attacks and other technological interference. Companies need to enhance their cybersecurity to deal effectively with this new reality.

Companies are often compelled to report security incidents such as data breaches to regulators.

In the UK, legislation requires organisations that experience a ‘covered cyber incident,’ to report the issue to the Information Commissioner’s Office no later than 72 hours after the entity ‘reasonably believes’ such an incident has occurred, unless there is no evidenced risk to individuals’ rights and freedoms.

However, no such compulsion exists when it comes to reporting cybercrime to law enforcement. There is an estimated gap in the millions between the number of reported cybercrimes and actual incidents.

An image problem

The issue is not poor reporting, but companies’ fear of reputational damage. Top executives have to balance promoting a positive image to enhance competitive advantage, against the level of disclosure required.

The pressure on companies to address cyber concerns to enhance competitive advantage and limit reputational damage to the organisation will continue to increase.

Under these circumstances, what is likely to be disclosed is questionable as share price is largely determined by soft factors, such as trust and reputation, rather than tangible issues like products and services.

Top executives are treading a very fine line between disclosure and safeguarding the organisation through minimal reporting of cyber threats. This will increasingly threaten legal repercussions for senior executives.

Andrew Kakabadse is professor of governance & leadership and Nada Kakabadse is professor of policy, governance and ethics at Henley Business School.