Business leaders are failing to protect their organizations from cyber attacks. Why?

A hand is silhouetted in front of a computer screen in this picture illustration taken in Berlin May 21, 2013. The Financial Times' website and Twitter feeds were hacked May 17, 2013, renewing questions about whether the popular social media service has done enough to tighten security as cyber-attacks on the news media intensify. The attack is the latest in which hackers commandeered the Twitter account of a prominent news organization to push their agenda. Twitter's 200 million users worldwide send out more than 400 million tweets a day, making it a potent distributor of news. REUTERS/Pawel Kopczynski   (GERMANY - Tags: CRIME LAW SCIENCE TECHNOLOGY) - RTXZUYD

The numbers and size of cyber security attacks are increasing. Image: REUTERS/Pawel Kopczynski

Craig Horne
PhD Candidate, University of Melbourne
Our Impact
What's the World Economic Forum doing to accelerate action on Cybersecurity?
The Big Picture
Explore and monitor how Cybersecurity is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
Stay up to date:


The numbers and size of cyber security attacks are increasing and Australia is one of the world’s largest targets. The Federal government noted the current impact of cyber attacks on the Australian economy is A$17 billion annually.

The reasons are many and include a lack of direction and commitment to understanding information security at the strategic level. Research from the Australian National University shows executive/board knowledge of cyber risks among medium sized businesses is inadequate and board-level governance of cyber security risks varies wildly between organisations. This is troubling given the ultimate accountability of board directors.

The report found that only 58% of cyber security professionals thought their board had a sufficient understanding of cyber risks. Less than half (46%) said their board discusses cyber security rarely or never. Almost a third (30%) even said their board does not receive reports of cyber threats to the company.

Research from Cambridge University and retail bank Lloyds, also shows this level of uncertainty is causing boards to realise they have no idea what they are dealing with and giving up. Boards are doing this by simply outsourcing the risk of a cyber attack through the purchase of cyber insurance. The report comments:

“The amount of cyber insurance being purchased in Australia [has] increased 168-fold (16,828%) in the last two years, as more and more businesses seek to protect their balance sheets from this emerging threat.”

The problem with this approach to cyber risk is that too little effort is being made to understand the value, control and cost of the information that an organisation holds.

Cyber insurance is a product that covers businesses for the risk of data breaches, employee errors in mishandling data and computer hacking attacks. It covers liabilities and the expense involved in responding to a cyber attack. For example, Sony estimated that it spent US$171 million in cleaning up after its PlayStation Network was famously hacked in 2011.

Simply outsourcing the risk of an attack by purchasing cyber insurance fails to protect an organisation’s reputation from repeated and sustained cyber attacks. Another problem is that the erosion of an organisation’s competitive advantage through the loss of trade secrets through cyber attacks, is difficult to measure and insure.

My research shows executives should be identifying the value and sensitivity of the information in their organisations. Only then can they make sensible decisions about what IT infrastructure should be used and whether to seek expert help by outsourcing.

However identifying all the information that an organisation holds is not as easy as it first sounds. For example, some business conversations take place on social media platforms such as LinkedIn. Businesses need to consider whether those conversations are within the realms of responsibility for employers and therefore if employees should be admonished or supported for holding these electronic conversations.

Organisations can sometimes hold vast pools of information that are secret. However holding sensitive, secret information that is non-strategic is costly and may be pointless. Consider for example a retail organisation that has an online ordering website. This sort of organisation shouldn’t be recording and holding the credit card details of customers, if it can be helped.

Global number of cyber security incidents
Image: Financial Times

Outsourcing the payment for goods or services to finance service intermediaries makes good business sense. By not holding credit card details and effectively outsourcing that function, an organisation has made itself safer because it simply can’t end up on the front page of a newspaper for leaking credit card details.

Sometimes sensitive information is necessary for conducting business operations. If this is unavoidable, then organisations might need to ask whether the security controls they have in place to protect their sensitive information are enough. This might also extend to information being used by suppliers or customers.

If the assessment reveals that security controls are not enough, then a business case needs to be made for increased budget to the board. This may be costly, but if sensitive information is necessary for conducting business operations, then it must be protected and the security budget should be approved.

Organisations routinely fail to fully assess and protect against the risks introduced by storing or sharing information with other organisations. Examples include sharing with suppliers, customers, regulators and contract staff.

High profile cyber bungles from supplier-side attacks include the Target attack in December 2013, where the point-of-sale machines, supplied and operated by a third-party supplier, were infected with a virus that siphoned off all the credit card details of customers.

Board directors not taking the time to understand information security strategy can lead to a blanket approach of mitigating all risk of a cyber security attack by simply purchasing cyber insurance. This clumsy approach is not sustainable and consumers should be demanding more from our business leaders.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Related topics:
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

3 trends set to drive cyberattacks and ransomware in 2024

Scott Sayce

February 22, 2024

About Us



Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum