It’s the last thing anyone wants to hear: “Your account has been hacked.” But with almost 2 billion people around the world connected through their use of digital media devices and networks, cyberspace continues to provide rich footholds for enterprising hackers to gain access to both corporate and personal confidential information for their own gains. And, we can only conclude from the increasingly frequent corporate data breaches – including such organizations as Home Depot, McDonald’s, Neiman Marcus, Target, Yahoo, and more – that no one is safe from the threats and the significant costs that result from cyberattacks.
With an estimated price tag of about $3.8 million for each security breach, companies are beginning to recognize the need to protect their corporate and consumer data holdings, whether through the introduction of better IT infrastructure or instituting safeguards that protect their investments after a breach has taken place. And, while worldwide spending on information security is expected to grow to $170 billion by 2020 (from $75 billion in 2015), cybersecurity continues to be a major issue for businesses around the globe.
According to several studies, only about half of businesses assessed in the U.S., the U.K., and Germany are prepared to deal with cyberattacks. (Of special note: larger U.S. firms were the most targeted among those companies surveyed, with 72% admitting to being attacked over the course of 2016.)
Even cyber attackers with only basic skills can cause major disruptions that undermine the privacy and security of corporations and individuals around the world. The reality is that technological solutions are only as good as the processes and people that put them into place and keep them running. Indeed, it’s important to acknowledge the risk of human error in a corporation’s cyber vulnerability. JPMorgan Chase’s security breach in 2014 is one notable example, when hackers penetrated their system by exploiting a server whose security settings hadn’t been updated to dual-factor authentication, and in the process, compromising 76 million household and 7 million small business accounts.
Anthony Batchelor, a partner with global executive search firm, Odgers Berndtson, and leader of the firm’s Canadian Technology Practice, agrees and cautions that technology can, in fact, create a false sense of security. “Some companies rely on firewalls and good IT people. But others are saying that’s not enough. A breach is a material event; it almost brought down Sony. You don’t have to look very far to find a person or a company that has been personally compromised.”
- Executive leadership and proactive governance: Instituting a board-level executive who has cybersecurity knowledge, but also the practical experience to deal with potential risk and manage organizational planning to mitigate threats.
- New processes and associated training and advocacy: Led by the CISO, developing and implementing processes that protect organizations and their employees and keep people accountable for their digital behaviour, backed up by ongoing training to keep employees aware of cybersecurity risks over time.
- Technological defenses: Investing in the right enterprise software that’s kept up to date and managed properly across an organization’s entire digital ecosystem.
Batchelor sees technology as one important part of a multi-level approach to cybersecurity vigilance that includes a cultural shift that’s driven from the board-level down through an organization’s ranks. Organizations and companies from the top down need to take ownership of the cybersecurity issue. It simply can’t be left to “the IT folks” to deal with anymore. It’s a business, not an IT issue. “I can’t say enough about good governance and leadership. It will only take one breach at a company for senior leadership to wake up and say, ‘We need to be better at this.’ Companies need to have more governance at the board level and someone at the C-suite level who will take overall ownership, accountability and responsibility for this ever-increasing business issue.”
Protecting proprietary knowledge, client information and system integrity is one of the typical responsibilities of today’s Chief Information Officers (CIO). But as the role of the CIO becomes more complex – picture a mandate that combines the usual accountabilities of a CIO with those of a Chief Technology Officer and a Chief Data Officer, along with requisite expertise in cybersecurity, Big Data/analytics, and more – it opens companies up to increased vulnerability. Recognizing this challenge, more forward-thinking organizations are embracing the role of Chief Information Security Officer (CISO) as the chief defender of their data, platforms and systems.
And, given the rate of human error in these corporate breaches, many of these CISOs are seeking out security awareness training for employees with the goal of improving organizational compliance, expanding security knowledge and changing poor security behaviours.
Says Mr. Batchelor of Odgers Berndtson: “In five years’ time, the recruitment of CISOs and Board Directors with an information security background could be the fastest growing parts of Odgers Berndtson‘s business, because as companies get more in tune with cybersecurity and their vulnerability to attacks, they’re starting to invest in a both dedicated functional role and increased board governance in their company.”
Above all, cyber defenders need to be proactive in their approach to combatting cybersecurity through training and advocacy – putting agile processes in place to keep people in the know as cybersecurity issues evolve over time. Admiral Mike Rogers, who oversees the U.S. Cyber Command, offers the following advice for executives seeking to build “high-reliability organizations” that consistently minimize risk: “[You] have to get beyond focusing on just the tech piece… It’s about ethos. It’s about culture. [It’s about] how you man, train, and equip your organization, how you structure it, the operational concepts that you apply.”
By implementing strategic leadership at the top, including introducing a board-level advocate for cybersecurity defense and an executive-level implementer to build processes and safer practices, organizations can successfully mitigate some of the risks of cyberattacks moving forward.