In the past 20 years, the nature of corporate asset value has changed significantly. Eighty per cent of the value of Fortune 500 companies now consists of intellectual property (IP) and other intangibles. With this rapidly expanding “digitization” of assets comes a corresponding digitization of corporate risk. As a result, cybersecurity now tops the list of issues corporate boards must face.
Recent research shows that corporations worldwide are losing hundreds of billions of dollars annually from the loss of IP, trading algorithms, destroyed or altered financial and consumer data, diminished reputations, as well as risking increased regulatory and legal exposure. And, the situation is getting much worse.
Cybersystems, which were designed without security in mind, are becoming even more insecure with the explosion of mobile devices and the networked connection of almost every physical asset from security cameras to refrigerators – the “Internet of Things”. In addition, the attack community is vastly improving its techniques. The sort of sophisticated cyberattacks we saw only between nations a few years ago are now being practiced by common criminals. Or, as in the case of Sony, attacks are being launched by nation states against commercial entities for political or economic purposes.
Finally, the economics of cybersecurity favours the attackers. Cyberattacks are relatively cheap and easy to access. The attackers’ business plans are expansive with extremely generous profit margins. Meanwhile, defence tends to be a generation behind the attackers, it’s hard to show return on investment for attacks that are prevented and law enforcement is almost non-existent – we successfully prosecute less than 2% of cybercriminals.
This little-understood imbalance of the economic incentives is exacerbated by the fact that many of the technologies and business practices that have recently driven corporate growth, innovation and profitability also undermine cybersecurity.
Technologies such as VOIP or cloud computing bring tremendous cost efficiencies, but dramatically complicate security. Efficient, even necessary, business practices such as the use of long supply chains and BYOD (bring your own device) are also economically attractive but extremely problematic from a security perspective.
Corporate boards are faced with the conundrum of needing to use technology to grow and maintain their enterprises without risking the corporate crown jewels or hard-won public faith in the bargain.
The National Association of Corporate Directors’ Cyber Security Handbook identified five core principles for corporate boards to enhance their cyber-risk management.
- Understand that cybersecurity is an enterprise-wide risk management issue. Thinking of cybersecurity as an IT issue to be addressed simply with technical solutions is an inherently flawed strategy. The single biggest vulnerability in cybersystems is people – insiders. Cybersecurity costs are managed most efficiently when integrated into core business decisions such as product launches, M&A and marketing strategies. Moreover, in an integrated world, organizations must take into account the risk created by their vendors, suppliers and customers as their weaknesses can be exploited to the detriment of the home system.
- Directors need to understand the legal implications of cyber-risk. The legal situation with respect to cybersecurity is unsettled and quickly evolving. There is no one standard that applies, especially for organizations that do business in multiple jurisdictions. It is critical that organizations systematically track the evolving laws and regulations in their markets.
- Boards need adequate access to cybersecurity expertise. Although cybersecurity issues are becoming as central to business decisions as legal and financial considerations, most boards lack the needed expertise to evaluate cyber-risk. Many boards are now recruiting cyber professionals for board seats to assist in analysing and judging staff reports. At a minimum, boards should regularly make adequate time for cybersecurity at board meetings as part of the audit or similar committee reports.
- Directors need to set an expectation that management have an enterprise-wide cyber-risk management framework in place. At a base level, each organization ought to have an enterprise-wide cyber-risk team led by a senior official with cross-departmental authority that meets regularly, has a separate budget, creates an organization-wide plan and exercises it.
- Based on the plan, management needs to have a method to assess the damage of a cyber-event. They need to identify which risks can be avoided, mitigated, accepted or transferred through insurance. This means they need to identify which data, and how much, the organization is willing to lose or have compromised. Risk mitigation budgets need to then be allocated appropriately between defending against basic and advanced risks.
If an organization follows these principles, it should be well on its way to establishing a sustainably secure cyber-risk management system.
Author: Larry Clinton is President and Chief Executive Officer of the Internet Security Alliance (ISA)
Image: An illustration picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw June 24, 2013. REUTERS/Kacper Pempel