Report

Cybersecurity is an Organization-wide Responsibility

This article was first published by Oliver Wyman here

 

Although digital technologies have made society, government, and business more efficient and innovative, they have also made our personal data increasingly vulnerable to theft and attack.

The risk of cyberattack has never been higher. The Global Risks Report 2022, published by the World Economic Forum in collaboration with Marsh McLennan ranked “cybersecurity failure” as a top-5 risk for governments and businesses across Asia-Pacific, and Europe. Among business leaders, 88% consider cybersecurity as a direct risk that will impact functions beyond technical IT teams.

Globally, ransomware alone is estimated to potentially cost businesses $30 billion in damages by 2023.

Cyber-attacks will only grow in scale

As more of our key infrastructure and resources become digitalized, responsibility for cybersecurity within organizations must expand. This is especially the case given that demand for cybersecurity professionals has over time by far outpaced the capacity available within the market.

 

Total cryptocurrency value received by ransomware addresses

Cryptocurrency value in millions, US$

Currencies included: BCH, BTC, ETH, USDT

Source: The Global Risks Report 2022

 

Cybersecurity is an organization-wide issue

No single team should — or can — be the sole line of defense in an organization, especially when 95% of cybersecurity issues can be traced to human error. Further, every employee needs to be trained as internal actors are responsible for 43% of data loss, half of which was intentional, and half accidental. As we noted in a 2018 paper, it’s practically impossible for companies to entirely erase the possibility of security breaches, especially when faced with a motivated hacker.

While technical IT teams have a crucial role in the development and design of robust and secure corporate networks, responsibility for cybersecurity must expand to include senior executives across the entire organisation, particularly when it comes to responding to breaches and addressing them.

That means embedding security protocols into every function — from procurement to finance to sales — to ensure there is a company-wide “playbook” for responding to breaches.

 

CASE STUDY

Mind of a hacker

A large corporation serving consumers noted an increase in attempted and realised fraud. They undertook a typical security review and cyber assessment which helped direct investments to improve security compliance in a number of areas. Soon after, in a collaborative effort, the Chief Compliance Officer and CISO determined to undertake a more creative in-depth approach to a cyber risks assessment.

The method involved two primary strategies. One was to engage a tight team of ethical hackers who had strong technical expertise and experience across many and varied social engineering ruses. They relayed what types of data, across multiple scenarios, would be attractive to a bad actor depending on their motivations. This revealed a notable difference between what the enterprise considered valuable and what hackers would pursue.

The second strategy involved a number of working sessions with small groups long-tenured employees. The individual groups were asked a simple question “Based on your experience and a little cunning, what are the ways you could get interesting or sensitive documents, data, or information across the enterprise?”

The results were often astounding revealing for example, access rights that had accumulated and become broader over time, informal unlocked databases (e.g., complaints cases), unfettered access to executive calendars, annual report drafts in widely accessible folders, team or divisional contact/address spreadsheets, shared or common printer queue access codes, etc. As a result of the findings an overhaul of policies, procedures, controls, and surveillance was implemented. While fraudulent activity has not been fully eliminated, the frequency and financial significant became significantly diminished.

 

A financial and legal quagmire

The recent attacks on Australian telcos have also proven instructive in terms of the scale of the reputational and financial consequences potentially facing businesses.

The most obvious financial costs are directly associated with the ransoms demanded by hackers. In 2021, the average ransom rose to US$2.2 million, more than double the amounts registered in 2020. Add to that the costs of post-breach compensations and remediation work, which could be extensive depending on the damage. The telco, for instance, could potentially be held responsible for the replacement of thousands of passports which, at an estimated US$121 apiece, could become very expensive.

That’s in addition to fines that regulators could levy.

As recent cyber breaches have demonstrated, companies are under more pressure than ever before to mount a robust response to cyber events. These attacks will not abate — in fact, there is little doubt that more frequent and severe data breaches are on the horizon, and the stakes have never been higher. Companies need proactively mitigate their cyber risks and leverage a whole-organization approach in order to minimize their impact.