Driving Cybersecurity Up the Corporate Agenda

Most people know the core functions of the modern business: human resources, sales, marketing, finance, and IT all play vital roles in keeping businesses running smoothly and employees working productively. Corporate leaders have little problem focusing their attention on the needs of these departments and supporting them financially; however, there are other lesser known but equally important elements of the modern business which often go overlooked and under-resourced. Among them is one of the most important and pressing topics of today’s business agenda: cybersecurity.

Modernising traditional mindsets

It is easy to consider the risks of cyberattacks as a “what if” scenario instead of what they actually are: a reality that will strike every company eventually, making all businesses vulnerable to the threats posed to them. Leadership teams that are not aware of the real risks involved are going to struggle to build a robust business strategy and to understand the investments required to protect their own and their customers’ data.

Despite this general lack of awareness and readiness, the fact remains that cyberattacks are frequent and costly. According to the latest Verizon Data Breach Investigations Report, each attack can cost $1.2 million in damage on average – and some even more, with the most expensive running into the billions of dollars as we saw with the 2011 Epsilon attack.

In the three decades since the internet became widely used, these attacks have become a regular occurrence, though they are still comparatively new in terms of the corporate agenda, explaining the current lack of urgency to address cybersecurity in today’s boardrooms.

A contradiction in the boardroom

A recent insight report published by the World Economic Forum named ‘cybersecurity failure’ among the top risks facing businesses today, however, the manner in which companies tackle cybersecurity is something of a paradox. Cyberattacks are ranked just behind the dangers presented by infectious diseases, livelihood crises, and extreme weather events, and are also seen by directors as one of the top five trends having the greatest impact on their companies in the next five years.

Despite the clear significance of the threat, corporations around the world continue to be easy prey for vicious predators. Why? Mostly through a lack of investment, but also because too many leaders consider cybersecurity to very much exist within the domain of IT – a highly technical and specialised area to be kept remote from C-suite decision-making.

Moreover, investment in technology solutions is primarily driven by the prospect of a speedy and measurable return on that investment. The challenge is that, generally speaking, cybersecurity doesn’t always provide a clear ROI and you can’t, in reality, benchmark attacks that have been avoided. Thus, cybersecurity is often relegated to a less strategic concern with investment to match. In the worst cases, some companies refuse to acknowledge the dangers even though the potential risks of cyberattacks are clear.

Meeting the challenge head on

Any of the above approaches, from limited investment to wilful ignorance, is not going to be capable of countering cybercriminals. Instead, companies must introduce a laser-like focus on their own internal vulnerabilities, enabling them to comprehend the risks at hand and therefore devise and deploy a cyber strategy which will ensure self-protection – before the attacks have commenced.

Waiting until a breach occurs becomes a costly damage limitation exercise both in terms of the data exposed and the impact on market reputation – companies affected by a cyberattack on average suffer a 1.1% drop in value and a 3.2% drop in annual sales growth.

And while corporations need to be having the conversation about cybersecurity, it needn’t be deemed an inevitable disaster. Instead, we need to consider it in context of all the other potential disasters and organisational risk which we evaluate daily and proactively prepare for with plans such as insurance.

Leaders at every level need to connect with their IT and security teams on a regular basis to ensure they are abreast of the latest attacks, risks, and weaknesses – taking on board their recommendations as a priority. In an ideal world, every board would have a chief information security officer with top-level access, who can maintain regular communications and updates with other board members. This would invariably make the company more able to focus the necessary time and money on keeping itself safe and well-prepared, which would eventually pay off in terms of the bottom line.

Constant vigilance is key

It’s crucial that business leaders do not underestimate the importance of these risks. As new threats continue to emerge, from phishing to data theft to ransomware, adopting the correct approach will give you the best chance to counterattack. Putting cybersecurity at the heart of the corporate agenda will ensure you have the agility and resources necessary to keep your own defences sharp and constantly evolving as attacks become more complex and sophisticated.

When it comes to proactive strategies for minimising risk, the World Economic Forum outlines six principles to enable board oversight of cyber-resilience:

• Promote cybersecurity as a strategic business enabler: nurture a culture of cybersecurity with leadership investment in good cybersecurity decision-making.
• Understand the underlying economic drivers and impacts: consider potential gains/losses relative to other business priorities and objectives, including regulatory requirements.
• Align cyber risk management with business needs: build a security profile that aligns with business needs and define risk tolerances across every facet of decision-making.
• Incorporate cybersecurity expertise into board governance: foster relationships with internal stakeholders who can provide expertise to guide strategic cybersecurity decisions.
• Encourage systemic resilience and collaboration: encourage industry collaboration and engage with public and private stakeholders to ensure overall resilience.
• Ensure organisational design supports cybersecurity objectives: define clear ownership, authority and KPIs among all internal stakeholders for critical risk management.

None of this means that leaders, who are not normally exposed to the technology coalface, must transform into IT experts overnight. Instead, we should depend on the technology specialists within the company with the core skills required to design the best strategy. By taking a proactive stance, it soon becomes clear that, rather than being a costly and troublesome overhead, money spent on protecting against and minimising the risk of cyber attacks is a valuable and necessary investment for the future.

When it comes to the bottom line, those companies that see cybersecurity as a way to improve competitive advantage and protect business interests will be best placed to enjoy better business outcomes.