Understanding today's cyber readiness risks: Key questions to stay ahead of the next attack

Linda Lacina, Meet The Leader: Welcome to Meet the Leader, the podcast where top leaders share how they’re tackling the world’s biggest challenges. In today’s episode, we talk about cyber readiness -- and the mindsets and approaches that might be overlooked.

Subscribe to Meet The Leader on Apple, Spotify and wherever you get your favorite podcasts. And don’t forget to rate and review us. I’m Linda Lacina from the World Economic Forum - and this is Meet the Leader.

Vinod Bange, Baker McKenzie: The real issue and the challenge with cybersecurity is that it's a risk that is multi-dimensional. So, focusing on one dimension that is tech alone, means you're only focusing on one plane of the threat risk.

Linda Lacina, Meet The Leader: Cybercrime is growing. And while we can’t eradicate it - we can mitigate it, and find new ways to be more nimble and outsmart the next attack.

One way forward? Classic collaboration. The nature of fighting cybercrime has meant that who criminals have targeted, and how they operate, and even how they’ve been thwarted, is often never widely shared. These are tactics and patterns that are often never leaving the confines of a particular company or country. Building a shared knowledge base can mean the good guys can coordinate their efforts and maybe even stay one step ahead.

The World Economic Forum’s Cybercrime Atlas does just that, using open source intelligence and world leading experts to develop and vet cybercrime threats and data that might otherwise be missed. I’ll include a link to the recent report in our shownotes.

But I also want to introduce you to Vinod Bange. He’s a partner at Baker McKenzie and a long-time expert in cyber law as well as data privacy and data protection. He talked to me about other unique ways business and government can work together to share best practices and strategies, all while breaking down why this sort of collaboration has traditionally been slow to happen.

He’ll talk about all this and the questions that leaders will need to ask themselves now to be truly cyber ready. But first he’ll share the cyber risk that’s most overlooked right now.

Vinod Bange, Baker McKenzie: The real issue and the real challenge with cybersecurity is that it's a risk that is multi-dimensional. So, focusing on one dimension that is tech alone, means you're only focusing on one plane of the threat risk.

And, of course, the threat risk is a much bigger risk than just technology. For example, people play a really important role in that, as does policy, as does processes, as does supply chain. And cyber threat actors, in particular, are really adept at testing where the weaknesses in an organization are. And increasingly that's weaknesses across those different areas of people, processes, tech stacks, security architecture around that.

So often the points of attack, we find, when you try and trace it back, when you're in the thick of that investigation, can often be linked back to people. And we're seeing that as a trend more and more at the moment, and certainly this year in particular. So to focus just on tech, means you're missing an important dimension in this multi-dimensional threat risk that we have. So, tech is not the only area of focus.

Linda Lacina, Meet The Leader: You talked about the people risk. Give us more context for that, so people who aren't familiar with that aspect of this work for cybersecurity.

Vinod Bange, Baker McKenzie: Of course, so the people risk is really, really important. You rely on people to help you implement policies, implement controls and be true to that. That's the whole point of training people around the whole array of their tasks in the workplace. And cyber and information security is one fundamental part of that.

If, for example, a person is the weakest link in the cyber threat plane, then you could find that actually they are the ones who the cyber threat actors will focus on. For example, they will appreciate that, and they will see in the systems if they're already in, the level of training that you had and have had, what your other roles and responsibilities are, how busy you are, when is the right time, the peak time to actually try and infiltrate you as a person and try and get you, try and engineer something out of you.

And often, that's credentials, or a link into finding those credentials. So your one piece, but a really important piece, in this protection jigsaw puzzle that all organizations have around cyber. So, people need to understand that as well. And as systems become much, much smarter within organizations to see when intrusions are taking place, to fend off more and more known intrusions and malwares etc. Then what we're finding is cyber criminals are thinking, well, how do we get around this? How do we find the weakest link? And often people are the weakest links.

So, you'll find that it's easier to try and infiltrate an organization by finding the person that's more likely to give you the answer or the credentials, or that password, or that access that is crucial for the threat actor to go further within the organization.

Linda Lacina, Meet The Leader: And when it comes to the credential theft, there's sort of a social influence aspect to this as well. Can you take us through, what does that look like? What does that look like, that somebody might be experiencing? So somebody listening to this understands how this might play out, so they can be better prepared. What does this social influence to get to credential theft look like in the day-to-day?

Vinod Bange, Baker McKenzie: Well, the social influence itself actually is becoming a bit of an art form, so it may be that, actually, it's a matter of how best you engineer a conversation, and with the goal of asking that person to give you something. So it's almost a conversation. You're almost tricking or conning a person to giving you something, so that's sort of one element of social engineering.

Of course, sometimes that isn't alone. People can be smarter than that, can be more sophisticated, or trained well, and therefore that alone isn't going to get you through. And sometimes what we find then is the threat actors, or those that are really going after those credentials, will think we need something more and the more is becoming a bit more of a complex environment in itself.

So, for example, do we need to coerce the individual to give us that information? Do we to threaten the individual? Do we need to actually almost apply some sort of social force? Do we want them to realize we have more information about them? Or, increasingly as I'm seeing, about their families? In other words, something suddenly clicks to make you think, okay, I know I shouldn't be given this information, but I now feel like I'm in a position where I have to.

And, of course, there's something in between which is becoming much, much more prevalent now as well, and that's the use of deepfakes. So, you've got AI for bad, and this is where AI is used by threat actors. And here's the question, you know, you could have a deepfake that is there to create a fake image, a video, what is as close as possible to a real-life conversation with your line manager, with your CEO, and so on and so forth.

So, the social engineering takes on almost a hyper-scaling approach, by the use of AI. So, the way in which you engineer the individual to do something for you is becoming so much more complicated than it ever used to be.

Now, deepfakes are gonna require some time and effort. That cost of acquisition is becoming cheaper and cheaper, but it is still a cost of acquisition to the threat actor. So, what we'll find is they'll kind of save that where they think there's a bigger goal to go for.

Linda Lacina, Meet The Leader: Absolutely. And of course, protecting against cyber risks is always a moving target, but if I'm a leader looking at this and I want to make sure that my larger team, my company, is prepared for this sort of thing, what are the questions I should be asking to make sure that people are protected?

Vinod Bange, Baker McKenzie: Interesting, I think if you're that business leader and you want to know what's the status, how prepared are we, or how vulnerable are we as an organization, I think those questions alone are absolutely crucial. And sometimes it's the simplicity in the questions that is perhaps gonna be more effective.

So, leaders should be asking those questions, and I think those cyber leaders and those cyber defenders within organizations should be empowered to think about those as well. In other words, they need the time, they need the pace, they the authority, they need to be empowered to actually be thinking deeply about how those questions will impact an organization, how in turn the teams that they lead, the systems that they put in place to defend the business, the third parties that they use as part of that defence perimeter, and the people that are trained are really fit for purpose against what the threat is. And obviously a very interesting conversation about what threat really means, and the changing nature of the threat, which I'd love to come on to as well.

Linda Lacina, Meet The Leader: We released our annual cyber risk report earlier in the year and it has, it lifts out sort of other big challenges that people are facing, including geopolitical tensions, right? So, it says more than half surveyed said geopolitical tension impacted their cyber strategy. Help us understand that, right. I mean, we keep seeing throughout the course of this year more and more things erupting. How do geopolitical tensions shape somebody’s approach to cyber security?

Vinod Bange, Baker McKenzie: So I think geopolitical shifts, geopolitics, and the change that's brought about by geopolitics, is probably one of the most influential factors on cyber risk that we're seeing in 2025. And we saw this coming through in 2024, as well.

Why? Mainly because if you break down what geopolitics actually is – and in some ways it's not really a dark art, it's actually a very visible art form – you could open your eyes and ears and see what's going on in the world. And I know that sounds patronizing but it's not meant to be. But I say that simply in that way because geopolitics is often very visible. It's often a gift from that perspective.

So, you can see what is happening around the world. You can see the tensions that are bubbling away. You see the fault lines that are appearing across regions, across different parts of the world economies. And then you can see what the impact of that is likely to be. Now sometimes, to be fair to organizations, the timing of seeing those tensions and seeing the impact can be incredibly short. But that alone is no reason to follow the story as you see it unfolding.

So how does that unfold? So where, for example, you have a political tension, or you have another form of tension – whether that's, for example, conflict or war – you will see that there are certain allegiances. You will see there are certainly alliances forming. You will see that there's a shift in discussion and discourse.

And the big question for you – and by the way, you're not alone as a business in this because a lot of cyber experts will be asking themselves the same question, a lot of discussions will be taking place along these themes as well – what does that mean for you as an organization? What does it mean for your retail operations in a particular jurisdiction, you would ask, what does it means to our cyber risk? What does it mean to our data stacks and our tech stacks that sit in our supply chain that are in that ecosystem that is impacted? And that's the key question to be asking yourselves from a cyber risk perspective.

The other point, which is a little bit variable, but still becoming clearer, is the way in which geopolitics and at the extreme end of geopolitical tension, we start to see the … I guess it's a nasty side, it's the quite vicious side of cyber threats playing out across and alongside those allegiances. So, this is where we see, for example, nation-state attacks, or we see cyberattacks that are sponsored by certain causes, and so on and so forth. So, trying to see and trying to engineer in your mind what that risk is likely to mean for you – and the chances are actually those discussions are going to be relevant for everyone in your industry, or everyone in your jurisdiction, or in your sector – so stay tuned to what's happening. And then ask yourself, what does it mean for you? Do we need to be on a heightened state of alert? We haven't rehearsed our cyber readiness for six months. We felt that was putting us in a good position, or it might even be three months ago, but actually the risk has changed.

And I often referred to this as a bit of a fire drill sort of test. You know, we quite rightly look after our people in buildings and environments. We do fire tests, we test the fire drills, and, you know, we will test the alarms regularly. You know, do they work? Will our people know when to evacuate and so on?

And in some ways, testing your cyber readiness is no different, and sometimes you need to sharpen up on that. So, taking those steps that you think will put you in a better position of readiness is the sort of consequential outcome of staying tuned to what geopolitical risk means from a cyber perspective.

Linda Lacina, Meet The Leader: And what are those characteristics of cyber-readiness that people need to make sure are covered?

Vinod Bange, Baker McKenzie: So, I think, again, sort of across those pieces that we talked about just a few moments ago, in some ways, it's about, you know, are our technical defences, are they up to date? Are they deployed where we need them to be? Do we need to escalate, need to put some pace and energy behind some of the rollouts of that technology? And so on and so forth. So, getting your tech defences as up to date as possible.

But also looking at it from an organizational perspective, how would we react if we realized today that there's an intruder in the system, or an intrusion has already taken place and how do we detect that? How do we go through it? So, rehearsing your playbook is going to be incredibly important.

But of course, rehearsing a playbook is only as good as having a playbook in the first place. And we see so many organizations where their playbook is perhaps not fit for purpose and needs more investment. And that's what I would say is worth, you know, really bringing out from your readiness programmes, you know, the way in which we created that playbook a year ago, is that still relevant today? Is it still relevant for the risk that we face today?

All of these factors around risk readiness come to fore and you know they do need to be acted on. It's so easy for organizations that are pulled in so many different directions on a daily basis by business as usual. But this is a risk that is real. This is a risk that we see, you know, crippling businesses and bringing businesses to their knees. It's probably the only risk of its type, cyber risk, where it can bring a business to a grinding halt or a significant part of a business in a way that no other risk can. Right?

So, making sure that you are adept in your contingency planning specifically for breaches, and it's rehearsed, and people know their roles, people know what they're going to be doing, and people will know what the different scenarios are and how they play out. And some of the decisions with that, I'll just give you an example of one, are incredibly important.

Just a few months ago, I was supporting one of our clients on a ransomware attack or an early intrusion notification that had been triggered within the organization. So, the early part of them, we mobilized – because we'd rehearsed this just four months earlier – and within a matter of about 90 minutes, the whole incident response team, including outside specialists like myself, had been mobilized. And we started to take the action that we should take.

But because we had rehearsed, and because we knew we had the authority to make certain decisions, and we had a line of reporting to the board, we were able to take certain systems offline straight away. We were able to put a pause on internet access, for example, to certain server environments. And this doesn't happen lightly. There is gonna be a consequence. But the way in which you're doing that, and the immediacy at which you can take those decisions, is incredibly important.

But you don't realize that until you've actually done some testing and asked your questions, do I have the authority to do it? If you spent the next, and in that case, if you'd spent the next three, four hours trying to find a decision-maker, that would have been too late. The fact that we acted so quickly meant that we were able to contain the intruder on a specific part of the technology environment and stop them from actually launching the full-blown lockdown that they were about to launch.

So, being rehearsed actually does make a difference. It does make a difference, and it makes a difference out of those key decisions that you have to make. And there is nothing like rehearsing, right? It's uncomfortable, and nobody really wants to do it, but it is absolutely important. And however much you find it uncomfortable, however much don't wanna do it, you know that when you have done it, you will be much better for it.

Linda Lacina, Meet The Leader: Wonderful. Absolutely. When you're talking about some of these things, Baker McKenzie has a top-risk report, its own survey, in that cyber coverage gaps are a big concern. Tell us a little bit about the disputes, risk report (the survey that you guys do) and then sort of how cyber coverage gaps kind of factor into that.

Vinod Bange, Baker McKenzie So we run an annual survey. It's a dispute survey. And what we do is, importantly, we go out to roughly 600, 700 of our most senior legal clients counselled. So, these are senior decision-makers within the legal teams of some of the biggest organizations in the world. And we will go and we will talk to them about the risks that they are facing and those risks that they see are likely to lead to dispute risks.

And in the 2025 survey, that was launched at the start of this year – so we queried and questioned and did the respondent survey at the tail end of last year – we found that data and cyber risk was at the top, was the number one risk that was, in effect, keeping senior legal leaders awake at night. And interestingly, for the first time, we saw AI as a second risk, as well.

And so it's quite clear that this is hitting home within the senior legal decision-makers. And that's good because it sparks that conversation. It means decision-makers come together and they start to think quite clearly and they bring that conversation within the business, as well. So, really important, I think, as we do those sorts of respondent-based surveys, that we can reflect what they have seen to you, as we did in this 2025 survey.

And interestingly, if we go back just one year in the survey, data and cyber risk was number three. And again, no surprise to us, because, and particularly not to me, because I'm dealing with data and cybersecurity every single day, it was elevated to being a number one risk.

And do you know what's interesting? And of course, cyber risk is a global issue – that's why we look at that survey from the perspective of a global respondent base. Let me just give you a couple of interesting stats, just as you probably see in the background, I'm here in the City of London today, and so, only last week, only just last week, in the middle of July. We heard the UK's National Cyber Security Centre passing comments on what they are seeing as the UK cyber threat risk and landscape.

And one of the interesting comments that took a lot of the press attention was the fact that they are seeing, the UK National Cyber Security Centre, is seeing at least one major attack every single day and that's reported to them. We know there are lots of attacks that are not reported to the National Cybersecurity Centre. We know that there are a lot that don't have to be reported and so on. So, we think that's actually at least the figure. I would probably apply an educated guess and say it's two or three times that.

So, this is not a theoretical risk. This is happening all the time to organizations. And there was another survey that interestingly said that if the global cyber crime ecosystem was, if you, like an economy in its own right, it will be immediately in the G7, without any hesitation. This is a trillion dollar-plus crime industry.

And of course, it's not only valued by dollars in terms of ransomware attacks, which is where we see most of the change. We see lots of different reasons for attack. And particularly with geopolitical tensions, you might find that actually the motive or the sponsor is not necessarily wanting to extract money.

It may be to use cyber as a weapon to provide a different outcome. It may be a form of social engineering within an organization. It may be to... dismantle the infrastructure of a state, or part of an organization, and that I think really needs to be taken on board when it comes to understanding what cyber risk is. So, we were not surprised with the results from the Baker McKenzie survey and everything we're hearing since shows that actually if anything the problem is growing unfortunately.

Linda Lacina, Meet The Leader: One of the respondents in the survey mentioned that they had key challenges, five key challenges when it came to managing cyber risk. Can you tell us what those challenges are? What are the things that make it so hard?

Vinod Bange, Baker McKenzie: So the challenges actually, in some ways, are along the lines that we talked about. I think sometimes it's about breaking the shackles of what was yesterday's risk or yesteryear's risk and making sure that your programmes, making sure your defence systems are actually looking at what today's risk is.

And that's difficult. Some organizations are vast in size, some are just difficult to turn around and implement change in terms of defensive posturing. So, you know, there are lessons to be learned from that. I think organizations need to be more agile. They need to be more nimble. They need to be more alive to the risk, just as they need to do in areas like geopolitics and what the changing threat landscape risk is to them.

We're also looking at how they themselves as an organization are better geared towards actually defending themselves. But not only defending themselves actually, it's also about understanding the risk. It's all about understanding the changing nature of the risk, as well. One of my clients, for example, we stay in touch because we talk to our clients regularly on the risks that they're seeing and we have a lot of roundtable discussions with our clients. And what's interesting is these roundtable discussions… We're a law firm, but we're often at the heart of a cyber incident for lots of reasons. Legal privilege, for one. Two, because often our experience brings us to the heart, and we are used to working within that ecosystem – so we know the vendors who are critical to forensics and root cause analysis and so on – and so we're at the heart of that ecosystem, so we have these regular conversations.

So for us, this isn't a sort of one-hit respondent survey from way back when. And in the several roundtables that I've had here just in London since then, we have a lot of intelligence that is being shared around. For example, which threat actors are organizations seeing as more relevant in the moment? Which ones are beginning to come back in? What does their MO look like? Can they be trusted? If you are considering paying out on ransomware, can you pay out on some ransomware and so on and so forth.

And these are issues that need to be addressed by every single company. These are issues that change almost by the month. So, bringing that to the fore, so you understand what your threat risk is gonna be incredibly important. And I know that's a slight repetition from what I said earlier on, but that's one of the fundamental reasons why organizations find it difficult to actually make themselves more adept and nimble at becoming more cyber defence ready.

Linda Lacina, Meet The Leader: I can see you guys recently had a really unusual client event. You had law enforcement, you had secret service, you have all kinds of other experts, can you tell me about this event and why was that sort of cross-section of experts so beneficial?

Vinod Bange, Baker McKenzie: So what's interesting is, and this is an event we had here in our London office and we had this in February at the start of this year. And what was interesting is I'd been working on this event for about six, seven, eight months – which is a lot longer than I take to prepare for many of our events and need to take as well. So why do we do this? First of all, we did this because we can see, and actually in some ways we're borrowing some of the some of the experiences we're seeing from our cyber teams in the US, where, for example, the FBI in the US, and aligning the expertise that they have in tackling cybercrime, alongside, for example some of this skill that we have within Baker McKenzie.

So one of my colleagues, Nicolas Rico, based in the West Coast of America, is ex-FBI. So we bring that expertise to our clients within the services we provide but that also informed us better for this particular event. And I'm told by many of our clients, attendees and also those who came together, this is a rather unique event. Why? Because we brought together all those that need to be part of, certainly in the UK right now – and that's not meant to be limiting when I say UK, because if you look around in the landscape behind me, you'll see that there are a lot of global businesses that are headquartered, or regional headquarters, here in the City of London. And what we're doing is bringing this public-private partnership together here.

And what does that mean? So that means that organizations should not feel that they are at an arm's length, and they are somehow very distant, from those organizations that are there to support them and that are there to help them – not only when they have a cyber attack but often before then as well. So this ecosystem is incredibly valuable.

And as you said earlier on, we had the UK's National Cyber Security Centre, several speakers kindly volunteered their time to be with us, even though they're incredibly busy. We had the UK's National Crime Agency, which unlike the National Cybersecurity Centre, we're now moving to law enforcement agencies. So, we're going from cyber defenders for UK PLC to law enforcement. And then moving into international law enforcement, we also had the FBI and their chapter here in London, we had the US secret service and their team chapters here in London, as well, alongside an ex-Interpol and some of our colleagues have also come out of industry and are now supporting our clients.

And the whole idea was across the spectrum of myth busting, right? I think there was a lot of myth around that if an organization spoke to one of these, organizations that are so important to helping when there is a cyberattack on, there are all sorts of myths circulating that I feel like I'm going to an authority, I feel I'm gonna be prosecuted the moment to go to them. So really dispelling a lot of those myths, these are not law agencies that are going to prosecute, they're not regulators in that context.

These agencies want to know the moment you have a significant attack, or the moment that you have an attack that is different or impacts certainly critical national infrastructure. Why? Because they will often be able to bring in the other parts of the jigsaw that they are aware of, so they can help you understand more about the nature of the attack and the vulnerability and where it started and how to deal with it, as well.

And also, that information sharing in real-time is going to help the ecosystem because then these agencies – in their alerts and in their industry conversations – they can warn others of this type of attack and if there's a trend that they see and so on and so forth. So, the ecosystem becomes much smarter, much more prepared, much more geared towards everyone coming together and fighting cybercrime, rather than other conferences where, for example, you just see statistics. And scary stories and so on and so forth.

We wanted this to be one that actually brings the ecosystem public-private together. One that actually shows and breaks down those myths that there is real value when these two parts come together and work together. And we've seen lots of output from that since that event as well. More industry groups coming together, more conversation and so on, where undoubtedly, certainly our clients who are there, we'll be better prepared for having been there and attended that session, and continued in that public-private partnership spirit.

Linda Lacina, Meet The Leader: I've only got a few more minutes left. I've got two questions I'm going to ask you, and then I'll free you for the rest of your afternoon over there. Is there something that you have changed your mind about in the last year or so? What was it, and what sparked it?

Vinod Bange, Baker McKenzie: So, I guess, it's interesting, because I think a lot of what I see is new – and that's both on the advisory and on the threat side as well. So, on the threat side, I think seeing attacks on critical national infrastructure, that's hard to ignore. That's hard to not have that hit you there as such, right?

When, for example, in 2024, we saw that supply chain-based attack on the London hospitals’ supply and ability to supply blood. That's a major, major issue. And actually, it just shows you how vulnerable parts of critical national infrastructure that supports a civil society really, really are. And that, I think, was kind of a big wake-up point for me, because not only is it about public infrastructure in that way, but actually, public infrastructure is largely driven by private infrastructure.

So, specialists like myself, and many here in London and beyond, have a role to play in terms of looking at these new types of risks, these new threat scenarios and bringing that into your thinking around how you support your clients today and tomorrow. So, I think that was one thing that sort of struck me, in particular as a sort of, wow, that's different, something's changed its tune where the threat's concerned.

Linda Lacina, Meet The Leader: Tell us a little bit more about what is keeping you up at night with these cyber risks, but more importantly, it's giving you hope?

Vinod Bange, Baker McKenzie: What gives me hope, I think, is, so, you know, if I think for example, the event that we've just mentioned, what gives me is hope is I've heard, I've had a lot of feedback from our clients since then, that said, we must do more of this. And that spurred me on to kind of take that conversation to, quite frankly, other lawyers and other law firms as well. So, this is an ecosystem issue, as well.

So I don't see other specialists in this area as competitive threats, where that's concerned, because we're all supporting our clients to achieve the same goal. So, a point of hope there, for example, is, you know, I'm a member and proud to be a member of the Society for Computers and Law. And, you know, this sort of conversation has led to a refreshed approach towards cyber risk.

And they now have a cyber working group and I'm delighted to be a committee member of this group as well and supporting the industry ecosystem there, as well. So, supporting advisors within this ecosystem, other legal practitioners, to be more informed and better and more adept at supporting their clients, that gives me hope. Because I think there's the ability for us to continue to get better against this threat and this risk, which also continues to get stronger.

Linda Lacina, Meet The Leader: That was Vinod Bange.
Thanks to him. And thanks to you, for listening. Find a transcript of this episode - as well as transcripts from my colleague’s podcasts Radio Davos at wef.ch/Podcasts.

This episode of meet the leader was produced and presented by me with Jere Johannson and Taz Kelleher as editor, and Gareth Nolan driving studio production.

That's it for now. I'm Linda Lacina from the World Economic Forum. Have a great day.