With an onslaught of bad recent cyber news, is cyber risk worth the trouble, and how should corporate directors be looking at this issue? The recent news is the high-profile breach of 4 million employee records at the U.S. Office of Personnel Management by alleged Chinese hackers and the news that even the security experts are getting hacked, with Kaspersky Labs reporting a breach supposedly committed by a nation state.
President Obama also made cyber security an emphasis of his G7 talks in Germany, commenting that the U.S. government needs to be more “nimble, aggressive and well-resourced” to combat this threat. He also urged the U.S. Congress to pass the 2015 Cybersecurity Information Sharing Act, a first step in a coordinated and systemic public/private response to cyber risks.
The attacks show no signs of slowing. PwC’s 2015 Global State of Information Security Survey indicates a compound annual growth rate of 66% for cyber incidents since 2009. The 10,000 respondents to the survey reported almost 43 million detected incidents during 2014 alone—or 117,339 incoming attacks every day of the year.
Is cyber security risk worth it? Yes, but with a caveat. Without a doubt, the many innovations currently taking place with today’s information technologies open up many new vulnerabilities. Risks are now difficult to isolate, and a protect-and-defend model is not effective against the systemic risks inherent across any corporate ecosystem.
Attacks can also come from a growing list of sources, including hacktivists, foreign and domestic nation-states, customers, employees, partners, consultants, competitors, organized crime and the bored neighbor kid living in the basement and surviving on a diet of Cheetos, Red Bull and your weak IT security infrastructure. The direct and indirect costs of mounting an effective cyber security defense are only getting more expensive, and the risks are only increasing.
Despite this, these technologies also have an upside—a significant one as they are now competitive table stakes, as new business tools always are. These tools are changing market dynamics and customer preferences, and the technologies embody distinct economic advantages such as the lowering of transaction and engagement costs. Business models and competitive advantages are changing as a result of these tools.
These tools are shaping and defining business success, but the risks are holding many companies back. Which takes us to the caveat. The upside of these technologies outweighs the downside.
Cyber is worth the risk, but boards, directors and managers need to be looking to exploit the business advantages of these tools, while at the same time mounting a “a nimble, aggressive and well-resourced” approach to mitigating these incessant risks.
This is easier said than done; 89% of companies listed on the Fortune 500 in 1955 are no longer on the list. Business cannibalizes the companies that can’t capitalize on the opportunities presented by changing market conditions, including new technologies.
Directors need to be diligent in overseeing cyber risk as part of a comprehensive IT governance and enterprise risk governance approach. But they also need to be on top of governing cyber opportunity—that’s the only way that they can make cyber security risk worth it.