The FDI angle:

• Cyber attacks are on the rise as they emerge as the flipside of the global digital economy. 
• They cost the world $8tn in damages in 2023 alone, Cybersecurity Ventures estimate. 
• Public institutions at the highest level, particularly in developing economies, have proven vulnerable to such attacks. 
• Why does it matter? Countries with poor cyber hygiene risk seeing their investment appeal decrease as multinationals limit exposure to such risks. “The reputational damage caused by a big breach, particularly a well-publicised breach, would definitely have a negative impact on the market’s prospect for FDI or being a supply chain destination,” says Terence Toland, a manager at Kearney.

In May 2022, Costa Rica’s investment promotion agency, Cinde, started receiving calls from its foreign clients. “What’s going on in your country? What is this mess?” was their message, Jorge Sequeira Picado, Cinde’s then managing director, told fDi a few months later in an interview in London.

Two large-scale ransomware attacks on the country’s government had infiltrated 27 of its ministries and crippled essential services. The national digital tax and customs control systems were taken offline, public sector workers couldn’t be paid, and hospital appointments were lost. After refusing to pay the ransom to regain access to the data under attack, the government declared a national emergency and wrestled with the fallout for the rest of the year. 

Thinking back to those awkward phone calls with Cinde’s clients, Mr Sequeira said: “We just had to tell them ‘We were not prepared’. That’s the honest answer. As a country, we were just not prepared.”

A $21.9bn-a-day problem

The Costa Rica incident laid bare how cyber attacks can wreak havoc on a country. Last year’s highest profile sovereign victims also feature Bosnia and Herzegovina, where a ransomware attack crippled the activities of the national parliament in September; Albania, which severed diplomatic relations with Iran that same month, after discovering it was behind repeated attacks on its government services (as confirmed by both Microsoft and the FBI); and Vanuatu, where state-run services went offline for more than three weeks in November.

Companies are being targeted too, of course. This year has seen attacks on two of the world’s biggest casino operators, Caesars Entertainment and MGM Resorts, with the latter suffering a 10-day computer shutdown. Hacks on file transfer service Moveit infected more than 2000 of its corporate and governmental users, and an attack on the derivatives clearing unit of Ion Markets left the world’s biggest banks scrambling to finalise trades. 

Cyber threat trackers point to a dramatic increase in the number of attacks in recent years. Research by cyber security provider Check Point reveals a 38% increase globally in 2022 — and that’s off the back of a 50% rise in 2021. However, victims’ unwillingness to report and many organisations not having ‘turned on the lights’ — industry parlance for monitoring for threats — means we can only see the tip of the iceberg. 

The stakes are high. According to research firm Cybersecurity Ventures, damage caused by cyber crime — which includes everything from stolen data and money to business disruption — is expected to cost the world $8tn in 2023 alone.

In other words, that’s a $21.9bn-a-day problem.

Multinationals cannot ignore cyber security risks any longer, particularly when they decide to do business overseas. That inevitably hinders the foreign direct investment (FDI) appeal of countries with poor cyber hygiene. 

The FDI risk

The possible FDI pitfall is exacerbated by the fact that governments’ cyber defences are, by and large, weaker than those in the private sector, says Robert Lee, CEO of cyber security firm Dragos.

While their main worry relates to citizens’ privacy and reliable public services, they must consider the impact on FDI, too. Cyber threats are top of mind for business leaders. A 2022 survey of 3522 executives by PWC found that a catastrophic cyber attack is the top threat being incorporated into business resilience plans over the subsequent two years. 

Foreign companies caught in the crosshairs of government shutdowns and forced to deal with disrupted critical services can lose trust in the country, says Jelena Zelenovic, the European Investment Bank’s chief information security officer. 

“The reputational damage caused by a big breach, particularly a well-publicised breach, would definitely have a negative impact on the market’s prospect for FDI or being a supply chain destination,” says Terence Toland, a manager at Kearney.

In Ireland, where a 2021 ransomware attack took down its national health service, the Health Service Executive, this is a point being championed by senator Gerard Craughwell. He notes that FDI, particularly by tech firms, is a big driver of the national economy. Apple and Google both use Ireland as their European headquarters and fDi Markets data shows that software and IT account for 32% of the country’s inbound capital expenditure over the past decade. 

Compared to asset-heavy industries, Mr Craughwell argues that tech firms are “footloose” as they are less tied to brick and mortar investments. “Their footprint within the country is based on rented accommodation [and] rented office furniture,” he tells fDi. “If they see a threat, or a lack of government concern for their security or the security of [the firm’s] systems, then they will go somewhere where they can find that security.”

A developmental issue

While cyber vulnerabilities may pose particular considerations for asset-light FDI, Julien Chaisse, professor of law at City University of Hong Kong, says cyber attacks are most consequential for FDI into small or developing countries. “For a country like Costa Rica or Albania … it might be more problematic as it could become another hurdle to FDI. So, they have to do even more to convince investors about the decision to invest,” he says.

Unfortunately, there is a close correlation between countries’ income and economic development levels and their cyber resilience. Assessing the results of its latest cyber security index, the UN’s International Telecommunication Union declared that cyber security is “truly a developmental issue”. It ranks 194 countries’ cyber resilience based on regulations, national agencies’ capabilities and strategies, training, and government cooperation with corporates and other countries. The five most resilient countries are the US, UK, Saudi Arabia, Estonia and South Korea. At the other end of the ranking are Yemen, Equatorial Guinea, Eritrea, Burundi and Djibouti. 

Among developing countries, smaller ones are particularly at risk. “An attack on a bigger country might do much less damage. When the same scale attack is on a smaller country, the consequences might be more devastating — in terms of bouncing back and restoring [systems],” said Tatiana Tropina, assistant professor of cyber security governance at the Netherlands’ Leiden University, at a Chatham House event in June. Indeed, the most disruptive attacks on governments since last year — Costa Rica, Vanuatu and Bosnia and Herzegovina — are in countries with populations of six million people or less. 

Governments in advanced economies are far from immune. In August, the UK’s electoral commission confirmed it had suffered a cyber attack that exposed the personal details of some 40 million voters. The National Health Service, University of Manchester and Northern Ireland’s police force were also the source of recent data breaches. The Moveit attack in June hit ministries in Canada and the US. One month later, hackers ensnared 12 Norwegian ministries. But among these countries there are no examples of prolonged disruption to the national IT infrastructure. 

The weakest link

Companies are right to be wary of countries where the government has weak cyber defences. Hackers operate in a borderless world, but starting operations in these places not only exposes firms to public sector vulnerabilities, but also those of local firms. “If the state isn’t leading from the front in terms of investing to protect its own systems and citizen data, then you won’t necessarily expect companies to either,” says Jo Joyce, a tech-focused senior counsel at law firm Taylor Wessing. 

This can create problems for foreign investors who need to establish local partners and suppliers. Risks cascade from one organisation to another through digital exchanges of information, including something as simple as malware attached to a supplier’s email. A security lapse at just one local partner can ensnare the investor, too.

“The moment you expand your operations and bring in new entities into your ecosystem, you are only as secure as the weakest link in the chain,” says Akshay Joshi, head of industry at the World Economic Forum’s (WEF) centre for cyber security. This applies equally to a firm’s supply chain as it does to general business support services. In September, Colombian internet provider IFX Networks suffered a ransomware attack which reportedly impacted more than 50 companies and government bodies. “If local systems aren’t on par in terms of cyber security, they can become the weak link for foreign investors,” adds Mr Chaisse. 

The problem is magnified by foreign firms’ local partners often being small businesses, which are low-hanging fruit for cyber criminals. A recent report by cyber security provider Barracuda Networks found that firms with fewer than 100 employees globally are more than three times as likely to be targeted for phishing attacks than larger firms. “[Cyber criminals] are aware that some of these small companies don’t have the budgets, tools and people to protect themselves like bigger organisations,” says Ms Zelenovic. A common tactic is a supply chain attack, whereby smaller companies within supply chains are targeted as an entry point into bigger firms. 

Local agents, local fines

Becoming entangled with poor cyber hygiene isn’t the only risk arising from FDI. State-sponsored attacks are increasingly part of the arsenal used within geopolitical conflicts. Iran’s attacks on Albania’s government were allegedly in retaliation to its sheltering of members of the exiled Iranian opposition group Mujahedeen-e-Khalq.

Ms Zelenovic notes that firms operating in countries involved in geopolitical tensions can get caught in the crossfires of these attacks and cyber espionage. It’s a prospect that many firms are attuned to. In a 2023 WEF survey of 151 business leaders, 49% said geopolitical risk influences their organisation’s cyber security strategy by re-evaluating which countries it does business with. 

Another factor that increases cyber risks is data localisation laws. A growing number of countries require locally collected data be stored within national borders, rather than allowing multinationals to hold all their data overseas. Mr Chaisse says this could make the country more vulnerable to cyber threats. “It’s a bit like a bounty. The more treasure they accumulate, the more likely it is that attackers will target the country,” he says.

In some countries, foreign firms are held to a higher standard than their local peers when it comes to abiding by cyber security regulations. Strict rules in India, for instance, require firms to report cyber incidents to the government within six hours of discovering the breach.

Ms Joyce says that in India and in China, foreign-owned or controlled firms are subject to stricter penalties and higher expectations than their local peers. In less-developed markets, authorities often target foreign firms when issuing regulatory fines as they have more resources than local companies, she adds.

Foreign governments can also be sources of more sinister risks, by convincing workers to share sensitive information. This is a red flag when going into countries with high perceived rates of corruption. “Foreign intelligence is really good about recruiting people and what access they might have to core IP,” says Mr Lee. “The ability of [China’s] MSS to recruit an engineer that is on your payroll and is now embedded in your facility is pretty easy.” 

The human touch

Cyber attack methods are becoming more advanced. One of the most sophisticated breaches was the 2020 attack on US-based management software company SolarWinds. Hackers inserted malicious code into one of its updates which infected up to 100 of its corporate and government agency clients.

Going forward, there is artificial intelligence (AI) to contend with, too. As in other areas, AI’s impact on cyber risks is not yet known. But many in the industry consider it a double-edged sword. AI-driven phishing attacks that use highly-convincing, personalised messages increase their likely success. “Most people would say no to a WhatsApp message imitating the CEO saying ‘please make an urgent payment to this bank account’. But it only takes one to say yes,” says Mark Weil, CEO of TMF Group. “That deep-fake video and voice is getting easier to do. You are going to see an escalation in the frequency and sophistication of attacks.”

But AI could also help companies lift their cyber defences by using machine learning to identify patterns and anomalies that may indicate cyber threats. Ms Zelenovic is among those who believe this could speed up detection and response times, and mitigate attacks’ impact. However not everyone is convinced. “The problem in cyber security is [there’s] not a big training data set, every adversarial attack is like an inject that wasn’t in the training data,” argues Mr Lee. 

While cyber attacks conjure up images of high-tech tactics, the majority of incidents boil down to everyday human behaviour. A recent study by IBM found that human error was a primary cause of 95% of cyber security incidents. “If we break down cyber security into tech, process and people, people are invariably the weakest link,” confirms Mr Joshi.

This year’s attack on MGM reportedly started with hackers impersonating an employee during a phone call with its IT desk. According to IBM, over the past two years the most common way hackers have gained access to their victim’s system is via phishing, which often involves an employee simply opening a malicious link or attachment. When expanding overseas, this places a premium on the general population’s cyber literacy and training. “A country’s cyber security awareness and education level are crucial, as people are the first line of defence,” says Ms Zelenovic. “A country with a well-trained … workforce is less vulnerable.” 

Yet there’s a global skills shortage when it comes to workers charged with leading cyber defence, too. Mr Joshi says one of cyber security’s most serious issues is a lack of talent. According to cyber security association ISC2, the cyber security workforce covers only 58% of today’s needs and requires another 3.4 million professionals. Mr Joshi believes that figure is “vastly” underestimated. 

The problem is not confined to countries with weak cyber resilience. A UK government report this year found that those in charge of cyber security at half the country’s businesses lack the skills to carry out basic tasks to address cyber attacks. The fact that mature markets are grappling for talent suggests the gap between them and countries with less-robust cyber defences could become even greater. “In such a supply–demand asymmetry, cyber security professionals will probably choose to go to the more dynamic environments where you can get exposure to cutting edge practices, and let’s be honest, get better pay packages,” says Mr Joshi. 

Part of the problem and solution

Cyber attacks create risks for FDI, but they are also a source of opportunity. With cyber defence in hot demand, there’s a strong case for countries that harbour leading talent to export it. Data from fDi Markets shows that since the first cyber security FDI project was recorded in 2016, cross-border investments have ticked up to reach 450 projects last year.

While FDI heavy hitters the US and UK are the two biggest sources, in third place is Israel. Although not a big player in global FDI, the country’s strong military traditions have seeped into the private sector and fostered a world-leading cyber defence firms which have invested in the likes of India, Bulgaria and Brazil. Cyber crime is propelled by bad actors that operate in a borderless world. To stop them from holding countries like Costa Rica hostage again, cyber defence firms must also look to deploy their work beyond national borders. 

This article first appeared in the October/November 2023 print edition of fDi Intelligence