Modern society is systematically dependent on digital technologies, and has reached a point of no return. The Fourth Industrial Revolution, in enabling our transition to the digital world, has created opportunities. Digitization provides many benefits, but given its rapid pace, we live in cyber insecurity.
Cyber attacks against businesses have almost doubled in the last five years. Since we can't remove digital technologies from our economies, daily lives or public safety practices, we must take responsibility and apply security much more thoroughly when innovating, in order to prevent major cyber attacks, loss of data, loss of privacy and other negative outcomes.
In the past, the most famous cyber breaches have been related to infringement of privacy and confidentiality. In the near future, the much bigger problem will be potential attacks on integrity and availability, like the infamous Maersk attack that shut down a company’s network and operations for days. If trust in technology is low now, what will happen when hackers are able to tamper with data integrity, and change patients’ health records, including their blood type, allergies, and medical history? What will happen when hackers can attack availability, causing a train signalling system to malfunction, leading to multiple accidents?
In order to rebuild trust, we must put responsibility and security at the forefront of businesses’ innovation development. In the long term, prioritizing these two values is in the interest of investors. Investors who provide the capital to feed innovation must guide start-ups and SMEs to put security first.
These investors should recognize that security is fundamental to any sustainable investment, and that they have a key role to play in ensuring it. In many cases, investors take a very proactive role in helping portfolio companies to succeed. Part of success is providing a long-term vision for the innovation being funded and its impact on society.
Investors need to take the lead, because it is cheaper and more efficient to incorporate security at the beginning of product development rather than adding it at the end, just as it is much cheaper to prevent fire than stop it from spreading after it has started. Businesses that prioritize security early can evaluate their options and make reasonable choices based on the nature of their business needs and the sensitivity of their data.
Here are four ways investors can influence more secure and responsible innovation.
In order to close the knowledge gap between the tech community and investors, investors have to understand the critical nature of security in their investment portfolio companies. As cyber risks are increasing, it is important to educate investors on the need to assess cyber risk within the investing process. A better understanding of what makes technology more secure, an educated judgement of a company’s security posture and an ability to evaluate risk management strategy are becoming essential elements of thorough investment due diligence. Investors should learn about upcoming market trends, understand the importance of cybersecurity better, and be able to ask and challenge the current status quo of security in innovation.
It is important that investors and the technology community speak the same language when referring to cybersecurity. Currently, investors speak one language, managers another, and technology managers a third. The need for a universal language is much more pronounced among smaller companies. In order to improve the understanding of cybersecurity and its importance, there should be a standard language for the investment community to address cybersecurity as a business risk, rather than just an IT issue.
This includes agreeing where cybersecurity expertise falls within the company; how cybersecurity risk is disclosed and measured; what the key cyber threats are; what should be included in a cybersecurity audit and assessment; and finally, details such as if the board is responsible for cybersecurity issues. Currently there is a wide gap between the investment community and technology innovators when referencing security. Agreeing on basic terms of reference will help bridge this gap.
Have you read?
Understand security’s impact on investments
As cyber threats continue to escalate, consumers are seeking more cybersecurity and questioning their data privacy. Companies that prioritize security in their development will gain an advantage over their competitors. According to the Ping Identity 2018 Survey, following a data breach, 78% of consumers are inclined to stop engaging with the affected brand online, and 36% said they would stop engaging with the brand completely. Nearly half (49%) of respondents said they wouldn't engage a service or application that had experienced a recent data breach. As the survey shows, cyber breaches can be very damaging, especially to companies that are still establishing their name. A breach for a not well-known brand could be fatal.
As new digitally native generations join the consumer market, the demand for better embedded security will rise. According to the Deloitte/SSI 2016 Consumer Survey, younger generations (millennials and Gen Z) take more protective steps than older generations.
Due care standard
During the investment process, investors look at quality of earnings and revenue. Why aren’t investors looking at the quality of security of the company and its product? If there was a universally agreed due care standard that companies could be evaluated on, then investors could adjust investments and incentives accordingly. Such a cybersecurity due care standard should be inclusive and incorporate both basic cross-industry standards, as well as different levels of evaluation for different stages of a company’s development, from start-up to small and medium-size enterprise. If a due care standard is developed, companies can be evaluated and benchmarked on how they perform based on the due care standard in a fair and transparent way.
Investors and innovators have to find the right balance between fear and hope in developing new technologies. In order to do that, both communities have to speak the same language, and have a similar understanding of the importance of security and responsibility in innovation development.