June 11, 2019
June 11, 2019
The past few years have shown us that the cybersecurity landscape has only gotten more complex, as massive attack after massive attack—WannaCry and NotPetya ransomwares, at Uber Technologies in 2016, from the Shadow Brokers group, and many more—jolted enterprises around the world.
With cyber risk and the impact of breaches at an all-time high, the board and the C-suite must make data security one of their top priorities in 2019—once and for all dropping the notion that defending the enterprise is mainly the responsibility of the IT department and truly looking at security from a business rather than purely a technology perspective.
Why? The consequences of a successful attack can permeate an entire organization in multiple ways, often resulting in more damage than the company expects or is prepared for.
There’s the hit to the bottom line and shareholder value, for starters. For example, after one of the most infamous recent ransomware attacks, NotPetya, shipping company Maersk reported a quarterly loss of about $200 millio-$300 million while FedEx Corp. blamed the outbreak for a $300 million loss in its TNT Express subsidiary.
Severe cyber incidents also tend to be poison for companies’ stock prices, causing an average decline of 1.8 percent permanently, according to security consultant CGI and Oxford Economics. In some cases, attacks have stripped as much as 15 percent from companies’ valuations, the report said. A study by Ponemon Institute found that companies can expect a 5 percent stock price drop the day a breach is announced.
Many companies rely on insurance to cover at least part of their losses from business disruption and related costs, such as customer breach notification, regulatory compliance, lawyer fees, and public relations. But it’s naïve to think the repercussions of a cyber assault are restricted to lost earnings and increased expenses. The long-term harm to a company can be formidable, multifaceted, and take years to recover from.
According to Cisco’s Annual Cybersecurity Report, more than 20 percent of businesses struck by data breaches the previous year experienced not only revenue declines, but substantial loss of customers and business opportunities.
A Deloitte study pointed out that the costs of a breach fall into two categories: “above the surface” issues, such as customer notification, regulatory compliance, and cybersecurity improvements, and “below the surface” charges that can linger for years. These include insurance premium increases, increased cost to raise debt, operational disruption, long-term damage to brand reputation, and loss of competitive edge.
Insurance company Lloyd’s warns that because of these “slow burn” costs, companies could face a bigger toll from a cyberattack than they ever see coming.
All of this is overwhelming evidence that company leaders need to be thinking about the wide range of devastation that a major data breach can leave behind, and act accordingly.
Here are five immediate steps that corporate directors and other company leaders should take:
Rather than treating it as mainly an IT problem, overseen by the chief information officer (CIO) and the chief information security officer (CISO), this path ensures that cyber risk is placed on the same level as any other risks to the company and receives cross-C-suite attention.
Do not cut corners on technology and expertise to save money, only to lose much more after a breach. The ability to apply the right resources is another reason that the business case for mitigating cyber risk must be made as strongly as possible inside organizations.
Ultimately, process improvement remains separate from technology solutions. It’s critical for organizations to not only invest in their cybersecurity program, but also know their weaknesses and make sure they have the right solutions in place to close that gap. It’s also important to focus on improving and maintaining processes and controls, not simply buying more and more new technologies and expecting them to solve the structural issues within an organization.
Rather than responding to this increased concern with a rote agenda item at board meetings, handled with jargon-filled PowerPoint presentations, seize on it as an opportunity to fuel a discussion about the company’s security posture, where gaps exist, how risk is being mitigated, and how to measure and establish benchmarks on the number, nature, and extent of vulnerabilities.
Stop thinking of it as the CIO’s and the CISO’s domain and start viewing it as a priority for all company leaders. For example, CFOs haven’t traditionally been thought of as a core member of security teams, but who better understands the business, the financials, critical investments, and the impact of risk? Cybersecurity requires a partnership across the C-suite and that should include the CFO and any other nontraditional voices that can have a positive influence.
Since many breaches begin as phishing attacks that tricked victims into clicking on an infected link or document in an email, companies should institute more regular and comprehensive employee training. To amplify the seriousness, better education and training should come across as a major priority from on high.
This year and beyond, it will be crucial for companies to place cybersecurity front and center as a business context issue, not just a technology issue—and to reflect that thinking in everything it does.
Want to learn more about managing your organization’s security performance with security ratings? Click here.
Brian Cohen is CFO of BitSight, which provides companies with security ratings.