Global cyberattacks like WannaCry and NotPetya have bumped cyber risk firmly to the top of C-suites’ agendas. Even with this increased attention, businesses are still grossly underestimating their exposure, particularly because the attacks happening now are only the tip of the iceberg. The disruption to businesses’ growth, competitiveness, operations and existence is already playing out – and will dramatically increase in the near future. Cyber risk threatens the viability of all organizations; no CEO should be under an illusion about the implications to their business. Nonetheless, a huge proportion of executives are not translating this attention into implementation of the right people, processes and technology to protect their companies.
The misperception that cyber risk is predominantly a data breach issue for large companies continues to exist. Outside industries like retail, financial services and healthcare, organizations often underestimate the size of the target on their backs, as they have not traditionally operated under strict regulations on the use of data, such as protected health information (PHI) and personally identifiable information (PII). The responsibility for cyber risk management urgently needs to expand to organizations across all sectors. The powerful convergence between the digital and the physical worlds means the damage caused by cyber attacks now extends far beyond loss of data security and intellectual property. Tangible and intangible assets, systems as well as processes continue to be tightly intertwined. As a result, cyber risk will have an even more dramatic impact on business operations, research and development, supply chains, manufacturing plants, third-party service providers and customer relationships.
Bringing critical business functions online is increasing operational risk. For example, testing exercises for companies in the energy sector have successfully invaded critical supervisory control and data acquisition (SCADA) systems that companies wrongly believed to be separate from their main corporate network environment. SCADA systems and devices control different processes in various contexts. The energy sector may regulate electrical flow to turn machines on and off, as well as other aspects of the exploration, transportation, and production of oil and gas. If a malicious actor had hacked the corporate network and moved laterally into the SCADA system before our technical experts discovered the issue, it would not have been only the company’s valuable data and information that could have been exposed. Imagine the production disturbance, business interruption or even physical damage and human injury or loss of life that could have been inflicted if normal functioning had been altered. There has been similar success in testing exercises in other sectors, for example, hacking manufacturing companies and accessing unreleased product designs, configurations and launch plans. The convergence of the digital and physical world in many industries, including biomedical devices in healthcare and connected cars in automotive, increases the threat.
“While the majority of media reporting on cyberattacks is focused on data breaches, the consequences for revenue, operations and other functions are very real.”
A Clear Disconnect
This disconnect between the seriousness of the risk and the measures in place also varies by the size of the organization. Executives at smaller firms are often skeptical over whether they represent such a significant target for cyber attacks, which can limit their investment in cybersecurity. However, criminals are not only targeting high value corporates but launching large-scale attacks to disrupt as many organizations as possible. For example, the Locky, NotPetya and WannaCry ransomware attacks hit companies indiscriminately – regardless of size – exploiting specific vulnerabilities, such as poor patch management. A small to mid-sized organization might weigh the cost of a ransomware payment at a few hundred dollars against the cost of a security assessment, remediation and insurance, and decide to roll the dice. This approach often fails to acknowledge the very tangible consequences of systems and information being unavailable, even if there is no risk of physical damage or human injury. It can be an existential miscalculation, as smaller enterprises in any sector cannot always afford to withstand the interruption to sales and operations caused by an attack.
While the majority of media reporting on cyberattacks is focused on data breaches, the consequences for revenue, operations and other functions are very real. Even in smaller or less mature organizations without a fully staffed security department, there are some basic fundamentals that CEOs should be asking about and ensuring are implemented:
- Create a multidisciplinary committee for cyber risk management: The impact of cyber risk can be felt across every department in a business – from legal, to compliance, human resources, finance, communications, operations, information technology and elsewhere. A cyber risk committee is a relatively low cost organizational change that brings together the relevant expertise to assess how cyber risk will impact multiple functions, and how changes in the business – such as an M&A transaction, working with a new vendor, or implementing new technologies – will alter the security posture. The General Counsel, due to their apolitical position in the organization, as well as familiarity with the regulatory environment and downstream liabilities should chair this multidisciplinary committee and report out to the CEO and Board with their findings.
- Conduct a security assessment: The best way to understand the current state of a company’s security, is to conduct an independent security assessment. Smaller organizations with less complex systems may consider SaaS-based solutions, which can be cheaper and allow IT or information security leaders to input information and receive an instant score on their security posture. The results of the assessment should then be shared with the multidisciplinary committee so as to inform where budget is spent to close gaps, prioritize critical data and assets for protection, and what to insure.
- Create a culture of security: Weaponize your employees in the fight against cyber crime by investing in training and awareness programs. No one should be exempt from these exercises – including the board and senior executives. For example, proactively teaching how to spot suspicious phishing emails as well as implementing better password management practices. These small security strategies can have an immediate positive effect.
- Incident response planning: Incident response planning focuses on improving the company’s resilience in the face of attacks. Many companies now have an incident response plan, but it’s important to test the plan with all stakeholders involved and keep it regularly updated. Planning for an incident – particularly ransomware – also involves creating regular back-ups of critical data and systems to reduce downtime, and testing defenses, all by simulating attacks.
- Have a tailored cyber insurance policy: Even after taking a number of proactive steps such as those outlined above, the evolving threat landscape means that no company can be completely secure. It’s important to ensure that any cyber insurance policy takes into account the results of a security assessment, so it covers areas of greatest vulnerability that it may not be feasible to remediate.
A CEO needs to enlist the entire company in the effort to establish common metrics around cyber risk, building a culture of security through open dialogue, planning and testing. It all starts with the CEO.