Understanding Cyber Threats - Lessons for the Executive Team
"Cyber insecurity is a tax on growth"
Today, cyber risks affects all industries and markets and can represent an existential threat, especially to smaller companies that have limited resources and have built their business around one line of products or services.
In recent years, corporate executives and board members worldwide have ranked cyber risk as the third-highest risk to their business, behind only taxation and customer loss. The Center for Strategic and International Studies (CSIS) and American cybersecurity firm McAfee estimated that cybercrime and corporate espionage now cost the world economy about $600 billion a year, nearly one percent of global GDP. The 2017 Ponemon Institute study calculated that the average cost of a data breach is about $4 million per company worldwide, and as much as $7.4 million$mdash;almost twice the world average$mdash;for American firms, including detection and escalation costs, business disruption, lost revenues, customers and opportunities, notification costs, restitution, fines, legal and remediation services. The longer it takes to detect and contain a data breach, the costlier it becomes to resolve. Unfortunately, organizations still take approximately 191 days to identify that an incident has occurred and 66 days to contain it, and most of them experience two successful breaches per week where their core networks or enterprise systems are infiltrated. Research has also shown that over 80 percent of cybersecurity incidents are caused by successful exploitation of known vulnerabilities that have never been patched despite patches being available for months, if not years, and that nearly half of the security risk that organizations face stems from having multiple security vendors and products. Finally, a 2016 survey conducted by PwC found that more than half of US companies had experienced some type of cyber incident but that, as many experts in the field estimate, the other half of companies had most likely already been compromised without knowing it. These trends are growing and businesses are facing more sophisticated security threats than ever before.
In addition to the growing scope, volume, frequency, and sophistication of cyber attacks, there is a?widening gap between the supply and demand of knowledgeable and experienced cybersecurity professionals capable of addressing the threats at hand. The shortage of a highly trained cybersecurity workforce can be felt across all sectors, from the federal government to the private sector, with potential negative consequences for national security and the global economy. The demand for information security professionals has never been greater and is expected to rise to 6 million globally by 2019, with a projected shortfall of 1.5 million trained personnel.
Despite this well-documented skills gap, surveys have shown that less than 25 percent of C-level executives and board members$mdash;who should be responsible for building a team of trusted experts and fostering a culture of security$mdash;believe that recruiting and retaining skilled professionals is a critical cybersecurity issue. Many of them, especially small and medium-size companies, still display tendencies to treat cybersecurity as an isolated "IT problem" best left to their already overwhelmed IT department or, even worse, to their third-party IT vendor. A decade ago, this may have been the right course of action, but today this approach is both untenable and dangerous. These senior leaders and managers' natural optimism bias combined with a lack of understanding of cyber risks often leads them to believe that their company's security posture is stronger than it actually is, or that since they have purchased the latest security tool or software, or they are complying with specific state or federal government policies, then they are secure.
These common trends reinforce the conventional wisdom that views cybersecurity as a "technical problem" rather than a business risk or "people problem." And while advanced technology solutions and compliance with business standards and regulations are certainly important for protecting an organization against cyber threats, those actions alone are insufficient. No matter how efficient, agile, flexible, and secure any particular technology solution is, its capabilities are limited if it is not properly configured, effectively implemented, and regularly updated by management teams and correctly used by skilled employees who follow well-defined processes. Otherwise, vulnerabilities will surface that can be leveraged by both internal and external threat actors. In short, any technology for managing cyber risk is only as good as?the people who develop, implement, use, and maintain it. Moreover, while technology failures, systems flaws, and vulnerabilities can be blamed for many cyber incidents, the "people problem" is often at the core of some of the most damaging cyber attacks. Indeed, most cybersecurity issues start with ordinary technology users who have not received proper training, do not take security seriously, or prize convenience over security by$mdash;consciously or not$mdash;sidestepping basic standards of best practices.
Exacerbating this problem is the attitude that many small and medium-size organizations continue to show towards cybersecurity: that no matter how bad cyber threats are, they will not be a victim because they are either too small, not as profitable, not part of a critical sector, already well-protected, and so forth. There are endless reasons they give themselves to justify not adopting proper cybersecurity measures and effective mechanisms to counter cyber risks. As a result, they operate under a false sense of security, which furthers the mismatch between their perception of cyber risks and the reality. This is often compounded by the additional "communication/language gap" that exists between policy-savvy executives and the technical people, which puts them at odds with each other and can ultimately lead to an even more fragile security environment.
Thus, it goes without saying that cybersecurity has to be considered one of the most important aspects of managing risk in organizations of all sizes in all sectors, with duties and responsibilities extending through every level of the workforce. Achieving cybersecurity, however, is a complex and never-ending task. And while cyber risks, as with all risks, cannot be completely eliminated, they can be managed through informed decision-making processes, careful planning, workforce training, and appropriate allocation of resources. Understanding the threat landscape and staying abreast of the latest techniques and vulnerabilities can help small and medium-size businesses better plan their defenses and better allocate human and financial resources to minimize cyber risks. Moreover, establishing administrative, technical, and legal controls to protect a company's networked infrastructure and data, educating all employees about cybersecurity, and practicing good cyber hygiene as a function of managing and growing a business are probably the most effective solutions any organizations can adopt to prevent, mitigate, and respond to cyber incidents.
Additional posts in this series will provide an overview of existing frameworks, toolkits, and other resources that small and medium-size organizations can consult to stay informed about cyber threats, develop comprehensive cyber risks management strategies, and learn about some of the best practices and effective mechanisms deployed in the field to combat those threats. Particular attention will be given to the role that senior leaders and managers must play in the overall cybersecurity posture of any organization operating in the digital age.
Francesca Spidalieri is the Senior Fellow for Cyber Leadership at the Pell Center for International Relations and Public Policy at Salve Regina University, where she leads the Cyber Leadership research project and the Rhode Island Corporate Cybersecurity Initiative (RICCI). Francesca is also an Associate at Hathaway Global Strategies LLC, and serves as Co-Principal Investigator for the Cyber Readiness Index project at the Potomac Institute for Policy Studies, and as a Distinguished Fellow at the Ponemon Institute. Her academic research and publications have focused on cyber leadership development, cyber risk management, comparative organization analysis, and national cyber preparedness and resilience. She lectures regularly at cyber-related events nationwide and contributes to journal articles and other publications on cybersecurity matters affecting countries and organizations worldwide. She holds an M.A. in International Affairs and Security Studies from the Fletcher School at Tufts University, a B.A. in Political Science and International Relations, summa cum laude, from the University of Milan, and has completed additional cybersecurity coursework at the U.S. Naval War College's Center for Cyber Conflict Studies.