Global cyberattacks like WannaCry and NotPetya have bumped cyber risk firmly to the top of C-suites’ agendas. Even with this increased attention, businesses are still grossly underestimating their exposure, particularly because the attacks happening now are only the tip of the iceberg. The disruption to businesses’ growth, competitiveness, operations and existence is already playing out – and will dramatically increase in the near future. Cyber risk threatens the viability of all organizations; no CEO should be under an illusion about the implications to their business. Nonetheless, a huge proportion of executives are not translating this attention into implementation of the right people, processes and technology to protect their companies.
Misperceptions
The misperception that cyber risk is predominantly a data breach issue for large companies continues to exist. Outside industries like retail, financial services and healthcare, organizations often underestimate the size of the target on their backs, as they have not traditionally operated under strict regulations on the use of data, such as protected health information (PHI) and personally identifiable information (PII). The responsibility for cyber risk management urgently needs to expand to organizations across all sectors. The powerful convergence between the digital and the physical worlds means the damage caused by cyber attacks now extends far beyond loss of data security and intellectual property. Tangible and intangible assets, systems as well as processes continue to be tightly intertwined. As a result, cyber risk will have an even more dramatic impact on business operations, research and development, supply chains, manufacturing plants, third-party service providers and customer relationships.
Bringing critical business functions online is increasing operational risk. For example, testing exercises for companies in the energy sector have successfully invaded critical supervisory control and data acquisition (SCADA) systems that companies wrongly believed to be separate from their main corporate network environment. SCADA systems and devices control different processes in various contexts. The energy sector may regulate electrical flow to turn machines on and off, as well as other aspects of the exploration, transportation, and production of oil and gas. If a malicious actor had hacked the corporate network and moved laterally into the SCADA system before our technical experts discovered the issue, it would not have been only the company’s valuable data and information that could have been exposed. Imagine the production disturbance, business interruption or even physical damage and human injury or loss of life that could have been inflicted if normal functioning had been altered. There has been similar success in testing exercises in other sectors, for example, hacking manufacturing companies and accessing unreleased product designs, configurations and launch plans. The convergence of the digital and physical world in many industries, including biomedical devices in healthcare and connected cars in automotive, increases the threat.
“While the majority of media reporting on cyberattacks is focused on data breaches, the consequences for revenue, operations and other functions are very real.”
A Clear Disconnect
This disconnect between the seriousness of the risk and the measures in place also varies by the size of the organization. Executives at smaller firms are often skeptical over whether they represent such a significant target for cyber attacks, which can limit their investment in cybersecurity. However, criminals are not only targeting high value corporates but launching large-scale attacks to disrupt as many organizations as possible. For example, the Locky, NotPetya and WannaCry ransomware attacks hit companies indiscriminately – regardless of size – exploiting specific vulnerabilities, such as poor patch management. A small to mid-sized organization might weigh the cost of a ransomware payment at a few hundred dollars against the cost of a security assessment, remediation and insurance, and decide to roll the dice. This approach often fails to acknowledge the very tangible consequences of systems and information being unavailable, even if there is no risk of physical damage or human injury. It can be an existential miscalculation, as smaller enterprises in any sector cannot always afford to withstand the interruption to sales and operations caused by an attack.
Basic Fundamentals
While the majority of media reporting on cyberattacks is focused on data breaches, the consequences for revenue, operations and other functions are very real. Even in smaller or less mature organizations without a fully staffed security department, there are some basic fundamentals that CEOs should be asking about and ensuring are implemented:
A CEO needs to enlist the entire company in the effort to establish common metrics around cyber risk, building a culture of security through open dialogue, planning and testing. It all starts with the CEO.
What you say matters—and that’s not always a good thing.
Which technologies have captured the interest of CFOs immersed in the tech industry, and how…
With or without the psychological boost of an interest rate cut, PE investors need to…
In this edition of our Corporate Competitor Podcast, Chandran shares how leaders can tap into…
America’s CEOs are reforecasting their outlook for the year ahead, as consumer demand begins to…
CEO Pape has built markets by contracting output but believes it might be time for…