While business executives and government officials periodically refer to cybersecurity threats with appropriate expressions of concern, it is not clear that corporate America is devoting sufficient attention to the negative consequences of data breaches — these serious problems include disruptions to the bottom line such as the following eight common examples:
- Loss of reputation
- Pirated products
- Loss of R&D data
- Regulatory penalties
- Declining stock prices and company valuations
- Legal costs and liabilities
- Operational delays
- Loss of clients and prospects
This is not to say that today’s corporate executives think that cybersecurity is not important. As one example, the annual CEO survey by PricewaterhouseCoopers (PWC) revealed that 90 percent of U.S. CEOs consider cybersecurity to be “extremely important” while 87 percent are “concerned about cyber threats.” However, in a recent C-level executive study conducted by the Ponemon Institute, 85 percent of the 700 U.S.-based executives participating in the study admitted to a data security breach and 46 percent of reporting businesses did not implement encryption solutions after a data breach occurred.
Politicians such as Hillary Clinton speak regularly about the international risks due to cybersecurity. While referring to hacker networks, terrorist groups and cyberattacks by hostile states, Ms. Clinton stated that cybersecurity will be “one of the most important challenges” faced by the next U.S. President.
What does a data breach actually cost? PWC estimates range from an average of $500,000 for a single data breach to $1.8 million annually per company among midsize corporations that have detected cyber incidents. Most parties agree that these are conservative estimates of financial losses for a business when cyber threats successfully hit the mark.
For business executives always searching for ways to reduce expenses and improve the bottom line, paying more attention to cybersecurity risks seems like a prudent and cost-effective strategy that might not be receiving sufficient attention. The following paragraphs outline some additional key thoughts and suggestions offered by Research Optimus, a global data management company.
The Evolution of Cyber Threats in 2016: More Sophisticated Cybercriminals
Last year’s cybersecurity problems will not necessarily be the primary challenges in 2016 and beyond. When discussing cyber threats to prepare for in 2016, Morgan Stanley stated that the biggest threats in 2016 will be destructive malware, malicious insiders and ransomware. According to Theresa Payton, CEO of Fortalice, a new malware is discovered every 90 seconds. As reported by Lisa Monaco of Homeland Security and Counterterrorism, “We face more attacks, more methods, more actors and more victims.”
Destructive malware destroys data, often by overwriting it. In a variation of an “inside job,” malicious insiders are employees who can and do harm a business from their inside position. Ransomware involves blocking access to a company’s data until they pay a ransom, usually in anonymous Bitcoins.
The simplest solutions such as anti-virus and anti-malware software are not enough to defend businesses from these current cyber threats. Sophisticated hackers — particularly those with insider connections — already know what kind of software to anticipate and how to bypass it easily. Today’s cybercriminals are increasingly attacking startups and midcap companies that are often less prepared than larger international conglomerates.
However, the existence of cyber threats is still not enough to result in a universal reaction by corporate America — 40 percent of leading U.S. private companies do not plan to invest in information security during the next few years.
A 4-Step Holistic Approach to Cybersecurity
The lack of a simple “quick fix” for cybersecurity threats might be what is causing many businesses to postpone an immediate response. Rather than doing nothing, however, Research Optimus advocates a more thoughtful and effective response that includes attention to top-down solutions, bottom-up solutions, third party security standards and counter strategies.
- Step 1: Top-down Cybersecurity Solutions — Remember the classic advice from President Harry S. Truman: “The buck stops here.” Choose the best board of directors member to oversee and coordinate cybersecurity defense measures. This individual will keep the board advised as action is taken. At the same time, the board of directors needs to play an ongoing role in adjusting future cybersecurity actions to be taken.
- Step 2: Bottom-up Cybersecurity Solutions — The goal here is to eliminate “human error” as the leading cause of data breaches (as it has been during the last two years). Employee training can raise awareness of problems to avoid and teach staff members what they should do to prevent cybersecurity attacks. For example, better training can prevent security exposures such as (1) employees logging into corporate systems with smartphones that contain malware, and (2) hackers gaining access to corporate systems via unsuspecting employees using social media platforms.
- Step 3: Establish Security Standards for Third Parties — As business and government organizations increasingly rely on third parties to accomplish many tasks, the lack of strict external security standards can become a substantial source of cybersecurity vulnerabilities. It is absolutely vital for businesses of all sizes to take control of this “security black hole” by establishing security standards for any third party involved in data creation, usage, storage and deletion/modification. Once policies are created, companies must be prepared to monitor and enforce the external data policies.
- Step 4: Counter Strategy (“Plan B”) for Cybersecurity Attacks — “Always have a Plan B” is sound prevailing wisdom for those times that “something goes wrong” despite your best security measures. Early recognition and quick responses are two essential components in your Plan B for cybersecurity attacks because 60 percent of data is typically stolen in the first few hours of a cybersecurity attack.
How Feasible Is Private-Public Cooperation?
Critical infrastructure such as air traffic control and the power grid involves a clear illustration of effective cooperation between public and private entities. To date there have been about 750 cyber events on a global basis — despite private and public cooperation arrangements that were already in place.
Can cybersecurity risks be reduced by public-private cooperation? Simply stated, there is always room for improvement when it comes to government entities working cooperatively with private businesses. While 34 percent of CEOs report a positive impact from changes in international regulations for cybersecurity, 50 percent don’t see any positive changes.
For now the lesson to be learned is two-fold: (1) As observed by the CEO of eBay, John Donahoe — “Government and companies need to work together.” (2) Forward-thinking business executives can’t afford to wait for government action before taking their own precautionary steps to prepare for a proper level of cybersecurity safety.
Conclusion: Reducing Cybersecurity Risks in 2016 and Beyond Requires Proactivity
Among the issues confronting corporate America in 2016, cybersecurity appears to be a leading candidate for growing into a bigger problem if specific action is not taken. This does not seem to be a problem that can be solved by government legislation alone. Cybersecurity is a serious current issue — and business executives need to apply proactive solutions before it is too late.
Ideally the “best solution” is a combination of modern technologies, public-private cooperation, corporate governance, employee training, third party security standards and a Plan B cybersecurity strategy when something still goes wrong. Unfortunately, organizations of all sizes might be ill-prepared to fight this battle alone. Using external research experts such as Research Optimus should be considered as part of a cost-effective plan for tackling cybersecurity risks and challenges in a timely fashion.
– Research Optimus