Why effective cybersecurity and risk management are crucial for business growth

Disruptive technologies, such as mobility, cloud, IoT and AI, have fundamentally changed our lives. They have transformed how we live and work in ways we could have never imagined just a few years ago. While these technologies have yielded a great number of benefits to organizations, they have also changed how business is conducted and introduced a raft of new cyber risks. With everything now being online and data residing everywhere, cyber poses the biggest business risk to organizations.

The global average cost of a data breach in 2023 was $4.45 million, an increase of 15% over the last three years with no signs of slowing down. Leaders need to understand the nuances of cybersecurity and risk and how to effectively manage that risk to ensure the safety and security of their organizations, customers and products.

Risk is everywhere - and that fundamental fact of life is true in the business world as well. With the rise in digital business, organizations now need to focus on protecting their digital assets, such as customer and employee data, just like they would with their physical assets – their offices and equipment. But, as digital data becomes the backbone of business, its value to cyber criminals also increases and the potential damage of a breach to an organization can include damaged reputations, stolen intellectual property and loss of revenue.

Because it’s impossible to fully eliminate business risk and with cyber constituting the largest portion of that risk, leaders should instead focus on managing risk by identifying what’s mission-critical to their organization and then determining how best to protect it.

To effectively manage risk, leaders must do a holistic business risk assessment and evaluate their organization’s risk appetite. In addition to cyber risk, leaders must also consider other risk types, such as operating risk, credit risk and market risk, and break them down into three categories:

1. Mitigatable risk - the amount of risk that can be mitigated with investments in technology, training and additional resources.

2. Transferable risk - the amount of risk that can be transferred to a third party through insurance.

3. Acceptable risk - the amount of risk that can be accepted by the organization (also referred to as acceptable loss).

It’s important to keep in mind that not all risk is created equal – in today’s digitally-driven business world, by all accounts and measures, cyber still represents the biggest risk to modern organizations. Careful assessment, however, of each of these risk categories against the different risk types will provide leaders with the means to make the proper risk management decisions for their organizations.

Cyber’s outsize role in the organizational risk equation is reflected in recent government actions in regulating various cybersecurity-related areas, such as the reporting and disclosure of cyber incidents and the manufacture of digital products.

Examples of government regulation include the Securities and Exchange Commission’s July 2023 cyber mandate that requires U.S.-based public companies to disclose material cybersecurity incidents and provide information on their cybersecurity risk management strategies for the purpose of ensuring consistent and decision-useful disclosures regarding an organization's exposure to cybersecurity risks and incidents. And, most recently, the European Parliament and EU Council reached an agreement on legislation as part of the Cyber Resilience Act that mandates that connected device manufacturers report serious cyber incidents and actively exploited vulnerabilities.

Clearly, these developments demonstrate cyber’s increasing impact on business, but I believe that a balanced approach is most prudent when it comes to government regulation. While some level of government oversight is needed, over-regulation can also stifle innovation, hurt businesses - and ultimately, economies - overall.

Nevertheless, increased regulatory mandates require business leaders to keenly understand the business impacts of a cyber breach within the context of managing risk.

Business and industry are dynamic environments and, when it comes to cyber, technology can only get us so far. Cybercriminals are evolving their techniques at an alarming rate and the stakes are only getting higher. Yet, with cyber spending at an all-time high – to the tune of $219 billion on legacy solutions, such as firewalls and VPNs – why aren’t we seeing a drastic reduction in cyber incidents?

The answer is inertia. Leaders need to be aware of the disadvantage that inertia poses when it comes to managing cyber risk. Because change is uncomfortable, many organizations simply keep doing what they’ve always done – implementing legacy technology solutions in the hope that increasing investment will address the problem. But, as the saying goes, “What got us here won’t get us there,” because the game has fundamentally changed, meaning current modes of cyber defence must also change. Leaders must be open to new approaches, like zero-trust architectures, to protect against escalating and evolving threats.

The only way to combat this is to change the current mindset, shift expectations and embrace change. This happens gradually and it requires leaders to tap into non-technology factors, such as establishing a progressive, risk-aware culture that builds cyber into all processes through transparent leadership and open communication. I’ve seen first-hand that those leaders who follow this playbook tend to be the most successful at managing risk, thus decreasing the likelihood of a serious cyberattack.

The reality is that cyberattacks will continue to happen, especially as technologies, such as AI, advance and threat actors find novel ways to exploit vulnerabilities, so an organization’s best defence is to accurately assess its risk, employ techniques to effectively manage that risk and develop a cybersecurity strategy that aligns with the organization’s risk profile. It’s not a one-size-fits-all approach, but there are steps, like those outlined above, and proven approaches, like implementing a zero-trust architecture, that can help an organization build a solid foundation to fortify its defences against cyber threats.