There’s an Arabic saying for anyone struggling to protect themselves: “Only iron strikes iron.” Lately, I have been reminded of that concept by the rise of cybersecurity risks and how ill-prepared many business executives are.
A recent British government report finds that 46% of UK businesses have had at least one cybersecurity breach or attack in the last year — everything from emails containing viruses and spyware to malware attacks. That number rises to 66% for medium-sized firms and to 68% at large firms. The survey of 1,500 businesses finds that even though 74% of executives acknowledge this as a high priority for senior management, only 29% of firms have a specific board member responsible for cybersecurity and only 11% have established a cybersecurity incident management plan. That’s not fighting iron with iron, but with a feather.
The revelation that so many businesses are so unprepared is all the more shocking since it’s a threat we are all aware of; an act of cyber terrorism took down Ukraine’s power grid in 2015 caused by suspected Russian “BlackEnergy 3” malware; Hillary Clinton blames suspected Russian hacking of Democratic National Committee emails for losing the U.S. presidential election; and the biggest hack of all compromised the private data of more than one billion Yahoo accounts — customers’ names, email addresses, telephone numbers, dates of birth, passwords and unencrypted security questions and answers.
The costs of a cyberattack are significant. Research by the Ponemon Institute for IBM reveals the average cost of a data hack in the United States is $4 million per incident. The report found that putting in place programs to mitigate that risk cuts the overall cost of any data breach by 15% and lowers the likelihood of a data breach in the next two years by 29%.
An even more significant cost of any data breach can be to a company’s reputation. With 70% to 80% of a company’s market value today coming from intangible assets such as brand equity, goodwill and intellectual capital, according to a Harvard Business Review article, company executives should fight hard to protect their reputation.
Smart companies can work to thwart attacks by:
§ Appointing a senior executive (for example, a chief information security officer) as point-person responsible for cybersecurity, reporting to the board. A recent Accenture report urges firms to have a cyber-committed board and a chief executive that together are, “engaged with how cybersecurity impacts the business, how it affects risk tolerance, and how it enables opportunities.” We’re far from that point today — only one third of businesses have board members with responsibility for cyber security.
§ Assessing the firm’s cybersecurity vulnerabilities, including risks that could come as a result of a breach at vendors or suppliers that have your firm’s data or access to your network. As General Electric Chief Executive Jeff Immelt says, “Boards are really about leadership, strategy and risk, and how you manage risk.”
§ Establishing governance measures to raise awareness and educate all staff, not just IT teams. The most common attacks are phishing, viruses and ransomware that exploit simple human error, such as opening a suspicious email, as well as exploiting technical flaws in cybersecurity.
Acting sooner rather than later is important since you never know when your company might be caught up in a cyberattack. A leading investment banker at a Dubai-based firm told me recently about a merger deal that was complicated when the emails of the company being acquired were published as part of a WikiLeaks dump.
Protecting against risk is good for business. An EY report reveals that top-performing companies have twice as many key risk capabilities as low-performing ones and that stronger profits are highly correlated with a firm’s level of risk control.
Cybersecurity isn’t just a risk, it’s a huge opportunity. Australia, for example, is working to build its own cybersecurity ecosystem that it then hopes to export to other countries around the world. The Australian Cyber Security Growth Network was established this year with a goal of tripling the size of the nation's cybersecurity industry sector to AU$6 billion in revenues.
Other countries could follow suit and build their own centers of excellence, not just to protect against a growing threat but to take advantage of a huge investment opportunity: Cybersecurity Ventures forecasts that globally cybersecurity spending will exceed $1 trillion from 2017 to 2021. Now, that’s an opportunity to strike iron with iron.