In July the World Economic Forum (WEF) delivered a paper1 that argued for putting the muscle of investment into shifting the cybersecurity landscape. WEF/Marsh & McLennan reports2 that among weapons of mass destruction and natural disasters, cyberattacks are seventh in likelihood and eighth in impact as the greatest threats to global prosperity.

Cyberattacks have become the norm:

  • multiple communities’s infrastructure have been shut down
  • the US Navy sounded exasperated in a memo last week about leaking information “like a sieve”3
  • 10.6 million guests of MGM Grand had their names, addresses, phone numbers and dates-of-birth published to a hacking forum 4

If towns, hospitals, a resort and the military sound removed from your business’s operation, the Navy blames suppliers down the chain for its problems. In fact, most of the newsworthy losses end in fingerpointing down the supply chain. 56 percent of businesses have had a breach due to a vendor 5 ; “misuse or unauthorized sharing of confidential data by third parties was the second biggest worry of IT professionals.” 6

So follow that chain and you’ll soon enough find distant attacks hitting home. Similarly the businesses seeking investment may be your customer’s customer, which is the reason why the WEF starts with the funders: just like cyberattack blame, cybersecurity culture and responsibility trickle-down.

Getting Antsy with Money

And the climate is right to effect change among the financiers. An EY study revealed at a Private Equity International event in New York in January, showed a disconnect between the people putting up the money and the people keeping an eye on the businesses. The investors think only 40 percent of business managers have adequate cybersecurity policies and methods in place7.

Consultancy Alix Partners advises that due diligence should incorporate cybersecurity “alongside financial, legal, environmental, social, governance, and other traditional dimensions.”8 Also per Alix, not having adequate cybersecurity leads to “debts and unanticipated costs … exploited vulnerabilities will accelerate customer churn, leading to declining revenues. Theft of customer information or confidential business data, such as secrets, patents, and other intellectual property, will decrease asset value.” 9 Bain reports that “most companies overestimate their cybersecurity.” Bain’s advice is to develop “cybersecurity maturity.” 10

And Getting Cybersecure Mature

Unless you have a leader that understands which digital assets are your business’s crown jewels, and protects them accordingly, no one else will. The National League of Cities writes in its 2020 Cybersecurity Report, “a strong cybersecurity culture means sharing responsibility between all end users. City leaders need to understand that cybersecurity isn’t just an IT department challenge. It’s the responsibility of the entire organization, and the buck stops with leadership. In the private sector, there’s no question that cybersecurity is now a CEO and board-level responsibility.”11

This is the same idea espoused by venture capital firm Andreessen Horowitz principal Ben Horowitz in his book about business leaders building culture, “What You Do Is Who You Are”. In a Fortune Magazine interview Horowitz said about Haiti’s overthrow of the Napoleonic army, “in Haiti, it started with, ‘officers can’t cheat on their wives,’ a rule to create discipline and trust. [A person’s] word was everything: ‘I’d sooner relinquish my command than break my word.’”12 Business leaders set the tone intentionally or not about what’s of value in a company.

Cybersecurity Risk Assessment Principles

In the WEF report, the body espoused five principles for investors, but whose spirit can be applied to any organization: the report “focuses on security incentives for investors, but we cannot emphasize enough the need for the entire innovation ecosystem to work together on improving security and making security-by-design and security-by-default priorities for all.“

  1. Document your business’s cyber-risk tolerance. How much exposure are you willing to accept? The general rule is to focus appropriate resources defending what you define as your business’s most precious assets.
  2. Conduct cyber due-diligence. Audit your cybersecurity and see how it jibes with your cyber-risk tolerance.
  3. Clearly define your ongoing cybersecurity expectations, benchmarks and the WEF encourages investors to incentivize (as in executive pay) progress and disincentivize the lack of security
  4. Develop and follow a systematic action plan that accounts for people, technologies and processes.
  5. Regularly review the cybersecurity status of the organization and at the reviews invite collaboration regarding implementation, challenges and lessons

Cyber-risk assessment needs to be part of any organization’s risk management strategy.14 A cyber-risk assessment gives an overview of an organization’s cybersecurity posture and data by which to make cybersecurity decisions, so that you minimize exposures and vulnerabilities on the assets that matter most and maximize the return on your investment in your organization.

1 http://www3.weforum.org/docs/WEF_Incentivizing_responsible_and_secure_innovation.pdf

2 https://www.mmc.com/insights/publications/2020/Jan/the-global-risks-report-2020.html

3 Navy, Beset by Aging Tech, Pushes for Rapid Modernization Dustin Volz, Gordon Lubold, Wall Street Journal (Online); New York, N.Y, Feb 19, 2020

4 https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/

5 https://www.csoonline.com/article/3191947/what-is-a-supply-chain-attack-why-you-should-be-wary-of-third-party-providers.html

6 https://static.tenable.com/marketing/research-reports/Research-Report-Ponemon-Institute-Measuring_and_Managing_the_Cyber_Risks_to_Business_Operations.pdf

7 https://www.privateequityinternational.com/ey-survey-lps-think-you-overestimate-your-cybersecurity-strength/

8 https://www.alixpartners.com/insights-impact/insights/how-cybersecurity-is-disrupting-m-a-landscape-investors-fighting-back/

9 https://emarketing.alixpartners.com/rs/emsimages/2018/Pubs/DIG/AP_Cybersecurity_Distressed_Companies_Jun_2018.pdf

10 https://www.bain.com/insights/most-companies-overestimate-their-cybersecurity-but-resilience-is-possible/

11 https://www.nlc.org/sites/default/files/2019-10/CS%20Cybersecurity%20Report%20Final.pdf

12 https://fortune.com/2019/10/25/ben-horowitz-culture-book/

13 http://www3.weforum.org/docs/WEF_Incentivizing_responsible_and_secure_innovation.pdf

14 https://www.microsoft.com/security/blog/2020/01/29/cyber-risk-assessments-the-vaccine-for-companies-in-the-fourth-industrial-revolution/

Related Posts