How companies face risk to security operations derived from the Ukrainian crisis

Relations between Ukraine and Russia have kept the international community on edge since October 2021. Following the failure of diplomatic talks and the start of Russian military operations on Ukrainian soil in the early hours of February 24, concerns about the impact on the civilian population and the risk of an escalation and internationalization of the conflict are now becoming even stronger.

This crisis was foreseeable for months, allowing many companies to update and activate their pertinent risk prevention and mitigation plans well in advance. The Department of Homeland Security (DHS) had already anticipated in its 2020 Homeland Security Annual Report, which mentioned its concern about an increased risk of geopolitical tension, greater interstate competition and fragmentation of international order over the next three years. 

Whether due to the risk posed by an increase in the current war climate ("conventional risk") or the risk of further remote destabilization actions ("hybrid risk"), the global security scenario has fully entered a new phase that will force a reordering of security at the national and international level and, of course, an update to companies' security and crisis management plans, regardless of where they are located.

What impact might the crisis have on companies? 

The military attack on Ukraine is one of the biggest security crises in Europe and comes with a risk of internationalization, depending on how the West and the countries in the region respond to it. Obviously, how Western movements are received in the Kremlin will also have an influence here.

In the hours following the start of Russian military activity, the first measures against Moscow and support for Kyiv were announced, in addition to the measures already taken in favor of Ukraine before the outbreak of war, namely: the imposition of heavy economic sanctions by the E.U. and the U.S., the sending of military equipment to Ukraine, the reinforcement of military positions in NATO territory along border areas with Ukraine and a request for Turkey to close the Bosporus and the Dardanelles, the straits of Istanbul and Gallipoli, to prevent the passage of Russian warships. 

It's important to note that all these initiatives may be understood by Russia as direct aggressions against its interests and are liable to further increase tensions. Therefore, we may be facing a spiral of escalation that adds concern due to the greater risk of the conflict becoming internationalized. It is clear that both limiting the conflict to Ukraine and its surroundings and the possibility of its internationalization have an enormous impact on security for companies.

While Russia seems to defend the idea that this is a regional conflict, the international community does not see it the same way, and the (so far, indirect) participation of Ukraine's allies (U.S., E.U. and NATO) raised the risk of internationalizing the conflict.

In this context, Russia could take any of the following actions or even all of them at once. First, it could promote the creation of new pockets of instability in third geographical regions. Another alternative would be to drive the intensification of ongoing conflicts in third regions by strengthening support to their allies. Nobody doubts that Russia has the capacity to act in parallel regional scenarios. At times to divert media focus and pressure, and at others to generate social, political, or economic instability. Always in pursuit of its transnational goals.

Russia's options could simultaneously involve intensifying smear campaigns to destabilize certain countries politically and socially. We are talking, for example, about the spread of fake news or cyber threats against certain companies and public bodies. It would not be unreasonable to think that Russia might use, as it seems to have done on other occasions, remote destabilization actions against Western interests. Especially those directed against financial institutions, as U.S. and European (European Central Bank) watchdogs have already warned.

An important factor in information security procedures will be to identify whether the company has servers hosted in Ukraine or other countries in that area. According to Ukrainian authorities, more than 100 of the world's top 500 companies depend, at least partially, on Ukrainian IT services, as published recently in the Harvard Business Review.  

During this crisis, companies must be prepared for any contingency. It is reasonable to think that we will have to face risks in a hybrid format. We will witness a crossover of military actions with remote destabilization actions. In this environment, interaction and coordination between departments such as IT, security or risk will be key to ensuring there is a corporate structure in place that is capable of limiting the impact of situations such as the one we are unfortunately facing in Ukraine.