• The increase in remote working with the pandemic has increased our exposure to cybercrime.
• Most companies are ill-prepared in their cyber-resilience plans.
• Cybersecurity should be fully integrated with a company's business strategy.
The accelerated shift towards digital space with the pandemic has changed the corporate world. It is up to company leaders to make sure their businesses can adapt effectively to these changes and keep pace with global digitalization. This process, however, comes with multiple challenges. Research shows C-suite executives are 12 times more likely to be targets of cyberattacks than other employees at their organization. Coupled with other risks on the threat landscape, this might endanger the digital transformation of the business.
Key digital risks for organizations in 2021
We are surrounded by smart devices – at home, at the office, in the streets. According to IoT Analytics, by the end of 2020 the number of connected devices around the globe will reach 21.7 billion, and 54% of them will be part of the internet of things (IoT).
However, these devices may be vulnerable. As Microsoft predicts, 94% of businesses will be using IoT by the end of 2021. In terms of risks, a successful breach of an unprotected device may lead to irreversible consequences for the whole corporate infrastructure. For example, hacking a smart camera on the company perimeter, fraudsters can access codes to rooms or see the work schedule of security staff.
Have you read?
The World Economic Forum warns data theft is now among top 10 global risks. With the widespread use of digital ID, this poses a serious threat for commerce. Experts estimate in 2020 darknet forums and criminal websites contain over 15 billion stolen logins and passwords, and the industry sectors vary to a large extent.
Phishing and social-engineering methods are the most common ways to steal data. CEOs are especially vulnerable – company leaders are traditionally target #1 for criminals. Globally, 40% of companies cited their C-level employees, including the CEO, as their highest cybersecurity risk.
Use of novel technologies for attacks
Cybercriminals tend to carry out their attacks using the latest technologies. In 2019, an energy sector company in Germany lost €220,000 due to criminals gaining access to the personal data of the company CEO. They used an AI-based technology for generating images and sounds, deepfake, to simulate his voice and persuade one of the subsidiary directors to transfer money to the adversary’s bank account.
Disregarding security in the company transformation strategy
McAfee has calculated the global spending on cybersecurity is expected to exceed $145 billion for 2020. Yet there are still those companies that go digital, but fail to include cybersecurity into their transformation strategy. This can lead to considerable costs in the future. Strict regulations, market demands or a security incident may result in the need to upgrade the systems, rebuild business processes or modify the already released products, resulting in loss of customers and profits.
Why is cybersecurity becoming a priority for C-levels?
This rapid digital shift reveals numerous threats to businesses’ integrity and continuity, thus making cybersecurity an issue of strategic importance. At present, 83% of companies do not have business continuity- and disaster recovery-plans. It is up to the CEO to address this and lead the company towards a higher level of cyber-resilience.
Another reason to prioritize cybersecurity is the scale of potential harm to the company in case of an attack. Just one incident is enough to cause serious financial and reputational damage. A study by Accenture has found that the current mean cost of an attack for an average business is $380,000. With approximately 22 incidents per year, this equates to huge financial losses for the corporate sector. Apart from that, in a survey by McAfee, 92% of respondents identified non-monetary damage from cyberattacks, the biggest being productivity and lost business hours, with the longest average interruption being 18 hours. Damage to brand and reputation is the long-term consequence of such incidents.
Steps to reduce digital risks
1. Cybersecurity as a strategy
Include cybersecurity in the company's digital development and transformation strategy. Cyber-resilience needs to become a cornerstone of the ecosystem, hence these discussions should be making their way into the board meetings. Invite your chief information security officer (CISO) to the board – this person is now more than a technical pro, he or she helps to drive the business forward and should actively participate in the strategic planning.
2. Management of risks
Assess the risks and include cybersecurity in the company risk profile. Involve the CEO and the board to introduce risk and crisis management practices in the company.
Let’s say a cybersecurity incident has occurred. The company needs precise and verified response actions at the technical level, swift decisions of the board, effective interaction of the departments and subsidiaries, as well as correct communications with the investors and the public. All this requires an action plan and regular crisis trainings with participation of top management and each employee.
Invest in cyber-literacy training for C-level executives and all employees through special courses, tests and simulations. Cyber exercises and trainings for the whole staff team help to build a security culture inside organizations, raise cybersecurity awareness, not allow employees to fall for social engineering and data theft. Our research shows that regular training improves staff resilience to phishing by nine. The basic knowledge of cyber hygiene rules will prevent a CEO from being a perfect target to criminals.
Consider addressing expert organizations for consultancy and/or outsourcing your cybersecurity needs. These issues need resources, both financial and human. In the frame of one company, the cybersecurity staff deal with similar threats, while expert companies possess a lot more experience, as they deal with various types of events on a daily basis. They have specific software and hardware, and highly qualified staff. Such a solution may save money and resources and secure the business.
What is the World Economic Forum doing on cybersecurity
The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.
Our community has three key priorities:
Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.
Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.
Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.
Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.
The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.
For more information, please contact us.
Securing a business is a complex task and, to some extent, the personal responsibility of a CEO. In guiding their companies through the digital transformation safely and effectively, executives need to participate in building cybersecurity strategies, increase personal cyber-literacy and lead the team confidently through the challenges of the digital era.