Sony’s Initial Decision to Give in to Terror Threats Has CEOs Up in Arms

The lesson CEOs have drawn from the Sony incident is that the bullying and blackmail is merely the opening salvo of a much more serious conflict. As one leader said, “ I am thankful that this threat was aimed at an incidental industry—entertainment—that affects practically no one directly. What happens when an aerospace company, a bank, or a major electric utility is successfully hacked and their systems are wiped out? Our economy and the general public could be seriously compromised.”

“Electric utility companies are much more vulnerable than, say, banks,” observes Tom Pettibone, CEO of  Reston, VA-based IT services firm Transition Partners. For example, many are still using Windows XP, which has a lot of holes where would-be attackers can readily penetrate. It’s one thing if a company’s email is hacked, it’s quite another when the company’s entire system goes down as it did with Sony,”  he says.

The global risk of cyberattacks is a real and growing threat, and could carry a whopping cost, according to a McKinsey & Company report on enterprise IT security implications. As a result, the price tag—the material effect of slowing the pace of technology and innovation due to a lack of cyber-resiliency—could be as high as $3 trillion by 2020, McKinsey says. The asymmetric effect of a small number of successful attackers, leading to tighter government restrictions, could mean that: “the world would capture less of the $10 trillion to $20 trillion available from big data, mobility and other innovations by 2020—the ultimate impact could be as much as $3 trillion in lost productivity and growth.”

Business’ vulnerability is by no means confined to large-cap companies. Many attacks involve mid-market and smaller businesses because their systems are less robust and typically more vulnerable. The effects can be devastating, leading to loss of livelihood and, in some cases, the entire business. A 2013 Verizon Data Breach Investigations Report found that 62% of breaches impacted smaller companies and that this number is likely undercounting the true volume, because it assumes organizations are fully aware when they are breached.

The vulnerability is accentuated by the “bring-your-own-device” era as employees access an increasing amount of a company’s business-critical applications from their personal mobile devices. Such devices sit outside the established security controls of most companies allowing cyber thieves easier access to data. Small business owners and operators understand that the impact of an embarrassing or costly data breach can mean much more—up to and including loss of livelihood or the entire business enterprise. The majority of attacks target small and medium-sized businesses because they are typically much more vulnerable than large enterprises, and the effects can be devastating.

McKinsey and the World Economic Forum conducted a survey in 2013 of 200 enterprises, tech vendors, and public sector agencies. Executives in the survey displayed “an emerging consensus” on what those models should be. Here are the seven cybersecurity best practices described in the report:

1.  Prioritize information assets based on business risks.
2.  Provide differentiated protection based on importance of assets.
3.  Deeply integrate security into the technology environment to drive scalability.
4.  Deploy active defenses to uncover attacks proactively.
5.  Test continuously to improve incident responses.
6.  Enlist frontline personnel to help understand the value of information assets.
7.  Integrate cyber-resistance into enterprise-wide risk-management and governance processes.

As we head into 2015, a cutting-edge cybersecurity strategy must be on the top of every CEO’s to-do list.

McKinsey: Risk and responsibility in a hyperconnected world: Implications for enterprises

World Economic Forum: Risk and Responsibility in a Hyperconnected World