In modern society, there is one fact that is unquestionable: The hyper-connectivity of the digital economy is inescapable. A financial institution without an online presence or omni-channel strategy will cease to be competitive. Universities (for-profit or non-profit) must develop and continuously evolve their online learning capabilities if they are to stay relevant. Online retailers are quickly outpacing and rendering their ‘brick-and-mortar’ counterparts irrelevant. Travel agents have been largely relegated to dinosaur status in this era of online travel search aggregators and booking portals. A payments ecosystem mostly dominated by major card networks and processors now includes closed loop systems such as Apple Pay, Google Wallet and others. When we add the Internet of Things (IoT), robotics and artificial intelligence (AI) to the mix, the networked society has become a monolith that we simply cannot ignore.
What is most concerning about the ubiquity of technology is the multitude of cyber threats which organizations and individuals have to contend with. While the risks to individuals are relatively high as it relates to invasion of privacy, identity theft and financial loss, cyber-attacks can have a particularly critical impact on businesses. Depending on market and jurisdictional realities, the consequences can include heavy regulatory penalties, plummeting stock prices, lawsuits or mass layoffs — The effect on a company’s bottom line can be catastrophic.
But how are corporations responding to this ever-evolving threat landscape? The resulting strategies fall mostly into the following categories. There are the large organizations which employ the ‘3 lines of defense’ approach where an IT department owns and manages cyber risks, the operational risk and/or compliance departments specialize in risk management (including cyber), and the internal audit function provides independent assurance that cyber risks are being effectively managed. This approach is resource intensive and demands highly specialized (and costly) personnel. There are the generally under-staffed companies that limp along from day-to-day reacting to cyber-attack after cyber-attack, many of them not even aware that their systems and networks have been compromised. And finally, there are the SMEs that basically stick their heads in the sand and pretend that their operation is too small or insignificant to be the target of cyber criminals.
More often than not, business leaders across the board fail to recognize that cybersecurity is no longer the domain of the IT organization. Cybersecurity strategy is now business strategy, and the response to cyber threats is the responsibility of every individual that works for or runs a company. And here are 8 key reasons why this is undeniably the case:
- Corporate governance – A 2016 survey by Goldsmiths that included responses from 1,530 non-executive directors and C-level executives in the United States, United Kingdom, Germany, Japan and Nordic countries showed that 90% of respondents admitted to not being able to read a cybersecurity report and were not prepared to respond to a major attack. Even more worrisome was the fact that over 40% of executives did not feel that cybersecurity or protection of customer data was their responsibility. Let that sink in for a moment. This is why ensuring that cybersecurity is a running topic at executive and board level meetings is imperative for organizations. Even more, greater ownership should be ascribed to all levels of personnel for cyber risks. Cybersecurity culture is a collective effort that starts at the top and works its way down through the organization.
- Regulatory and legal compliance – Certain industries like banking, healthcare and energy are subjected to heavy regulatory burdens. And many of these regulations include requirements pertaining to privacy, data protection, and network security. In the US there are HIPAA, Gramm-Leach-Bliley, and FISMA. The EU has the NIS Directive and the GDPR. To address cross-border data flows between the EU and the US, there is Privacy Shield. To comply with this multitude of regulations, deep cyber and risk management capabilities must be embedded across organizations. Failure to do so can affect a company’s ability to stay in business. Period.
- Competitive advantage – Developing robust and effective internal controls to safeguard against cyber-attacks can equate to market leadership, brand strengthening, and product / service differentiation. For example, as more businesses look to AI, IoT and robotics to streamline processes and improve business performance, ensuring that these technologies are secure can increase revenues and drive bottom-line performance. In this respect, shareholders must not only expect cyber excellence, they should demand it.
- Financial management – There is clearly a direct correlation between cyber-related risk events (e.g. reputation damage, business disruption, fines, etc.) and financial loss. The severity and impact of such risks can be mitigated by integrating business strategy with cybersecurity strategy. The importance here is even more pronounced given the global economic downturn and depressed profits being experienced by several businesses.
- Public safety – An increasing number of companies are delivering products/services in the areas of smart grids, smart cities, automated public transit, power installations, autonomous vehicles, etc. Possessing core expertise in the alignment of cybersecurity and business operations will set these organizations apart in their respective market environments in terms of public safety. There are also distinct national security implications when we think of these technologies in the context of potential threats to human life.
- Business development – In 2004, the global cybersecurity market was valued at $3.5 billion. In 2017, it is now estimated to be worth $120 billion. But this value is primarily based on the number of products and services delivered. And while there is huge growth potential within the existing paradigm, there is a massive economic opportunity in fostering a commercial ecosystem built on online trust. Take for example the growing popularity of global trust audit and scoring offerings. Increasingly, more and more organizations are developing solutions to combat the proliferation of fake news. As it relates to IoT, consortiums are being formed to fill the security gaps in product design (i.e. Existing markets can be strengthened through collaboration and coordination). And these are just a few examples of the emergent market for Trust-as-a-Service (TaaS).
- Corporate social responsibility – There are numerous benefits to CSR programs, ranging from enhancing brand loyalty to securing and retaining investors to attracting/retaining engaged and productive employees. So along that vein, social responsibility investment in cyber-related areas such as child online protection, secure coding for women, hackathons and cybersecurity research is a savvy approach to cementing market position. As a result, companies can promote good security as a selling point for their products and services, create a pipeline for the best cybersecurity talent, and leverage their cyber-specific supply chains to build consumer trust.
- Mergers & acquisitions – Businesses must recognize the importance of cybersecurity due diligence in the M&A process. Due to a low standard for due diligence, several corporations find out about major cyber incidents only after an acquisition deal has gone through. In actuality, serious cybersecurity issues around compliance, data breaches, poor security architecture or the absence of incident response processes should be uncovered before finalizing a transaction. In the case of Verizon’s acquisition of Yahoo!, the final offer was cut by almost $400 million due to revelations about cybersecurity incidents. A 2016 survey by the NYSE indicated that over 50% of respondents regarded major security vulnerabilities as a ‘show stopper’ for a merger or acquisition.
Considering that end users are generally regarded as the weakest points in cyber defenses, logic dictates that cybersecurity should begin with the individual. Every single employee must be engaged and involved in defending the organization from online threats. It is they who most often access enterprise applications, networks and devices, and will undoubtedly serve as the first line of protection against hackers. Executives and board members are targeted due to their access to key digital assets; and because of the traditional fortification of the network perimeter, line workers are the focus of threat agents seeking to gain entry into the network or escalate their privileges to access sensitive information. Indeed, both executives and employees represent vectors to the same ultimate objective – the compromise of internal systems and access to critical data. Hence, development of an effective cybersecurity strategy must involve tight coupling of security practices with business operations to bolster an organization’s overall security posture. The most damaging misstep organizations can make – and often do – is relegating this function to an understaffed and underfunded IT department.