Cyber resilience: the impact of global crises on security of a start-up

With increasing digitalisation of every aspect of our private and professional lives, cybersecurity is becoming one of the most relevant topics of today and tomorrow. While cybersecurity itself can be considered as one of the critical drives of future regional and global crises, it is also tightly intertwined with other future events. This was already visible during the COVID-19 pandemic, which indirectly changed the whole cyber threat landscape. Since information and advanced technologies will be in the centre of future resilience, cybersecurity will have to evolve accordingly. 

Start-ups and SMEs have always presented a weak link when it comes to cyber resilience of national and internation economies. They usually do not have sufficient financial and human resources, but most importantly, they most often underestimate their attractiveness to cyber criminals. On the other hand, start-ups and SMEs are the main drivers of research and development in European union and are thus crucial for economic security of member states and EU as a whole. This means that to achieve economic and technological resilience of EU, we have to urgently address the issues of start-ups and SMEs. 

The current global situation, and predicted future crises (such as geopolitical tensions, regional wars, climate change, demographics crises and mass migration) calls for: 

• Holistic and flexible cybersecurity policies, which will help start-ups and SMEs with their present issues but will also enable them to respond quick enough to changes in cyber threat landscape. 
• Inclusion of cybersecurity challenges in other policies and plans for societal resilience. 
• More cooperation between start-ups, SMEs and national cybersecurity bodies, security services providers and research organizations. From policies to concrete solutions and measures, all stakeholders should work together to develop tailored and optimal answers for current and future threats. 

The mission of Slovenian Cyber Resilience Lab (SCRL) is to understand how ensuring cybersecurity in Slovenian start-ups and SMEs will change with emergence of future crisis events, as well as how to ensure cyber, technological and economic resilience in an unpredictable future. 

Survey on cyber issues and challenges of start-ups and SMEs 

Before thinking about future developments, it is important to understand, which factors currently affect the ability of start-ups and SMEs to ensure necessary cybersecurity measures. This enables the lab to track the changes on impact and uncertainty of each individual factor, to then propose and implement targeted policies accordingly. 

Figure 1: High impact factors of cybersecurity adoption.

The lab core team has conducted a survey among Slovenian start-up companies and R&D oriented SMEs. The results of the survey show, that most high impact factors come from the “Economic” STEEPL category, followed by social, political, legal and technological factors. The results of the survey provide an insight into the factors, which impact the ability of start-ups and SME to implement efficient cybersecurity programmes. The results served as a base for the first Slovenian Cyber Resilience Lab workshop.

First workshop with the stakeholders 

After gathering and analysing the results of our survey, the lab organised the first workshop. Various stakeholders from start-up communities, policy makers, security service providers and researchers were invited to discuss the identified factors and discuss the unpredictability of their future developments.

The team presented the findings of the survey to the participants , who were asked to discuss the factor based on their projected impact and future uncertainty. In the second part of the workshop, stakeholders were asked to use factors from the survey as a base to propose future events, which would further enhance the barriers of cybersecurity adoption. While there were some discrepancies (mostly due to the background of stakeholders), the following key factors (events) were identified as most impactful and uncertain: 

• Global armed conflicts and cyberwars. 
• Supply chain disruptions. 
• “Brain drain” and lack of trained specialists. 
• Recession and inflation. 
• Political instability. 
• Rapid technological advancements and uncontrollable company growth. 
• Growing complexity of legislation and bureaucratisation. 

Learnings and next steps 

This shows, that even though managing cybersecurity is primarily an internal responsibility of every single company, the ability to ensure cybersecurity is highly dependent of large-scale global events. This further emphasises the need for future policies, which will not only address the current needs of start-ups and SMEs, but will also provide tools and resources, which will enable start-ups and SMEs to adapt their capabilities to changes in the global threat landscape. Start-ups and SMEs have to be quick in recognising the developments and changes on local and global scale and give more emphasis to long-term risk analysis. 

It is clear that most major future crises will have a direct or an indirect impact on managing cybersecurity and will consequently impact the technological and economic resilience of Slovenia and wider region. This is why it is important to challenge the high level of uncertainty, which comes with the large number of driving factors of global crises, proactively, by making cybersecurity a part of all resiliency policies and plans for all societal challenges of the future. Or at least consider the implication to cybersecurity when creating new policies for societal resilience. As global crises become more and more interconnected, the role of national and EU policy makers also grows ever more important. 

The lab will further explore the impact of possible future events on the cyber resilience of Slovenian R&D community in the next scenario building workshop and test already established as well as newly proposed policies in policy testing workshop.