It Can Happen Here
Cyber threats are multiplying, and coming from all sides. And they are costly. In June, the digital security solutions supplier ESET discovered a malware known as Win32/Industroyer that was capable of carrying out an attack on power supply infrastructure. It was likely involved in the December 2016 cyber attack on Ukraine’s power grid that halted power to Kiev for over an hour. Then in September, Equifax revealed that hackers gaining access to the company’s systems had potentially seized personal data including Social Security and driver’s license numbers for 143 million Americans.
As these examples suggest, even large, sophisticated, data-centric organizations can learn—abruptly—that they have only an illusion of control over cybersecurity. To better understand how organizations worldwide are responding to threats from cyber attacks and breaches, and in particular the degree to which they are incorporating these issues into their strategic planning, Harvard Business Review Analytic Services surveyed 278 individuals in a wide range of industries, roughly evenly split between large organizations with 10,000 or more employees and those with fewer. SEE METHODOLOGY, PAGE 16 Harvard Business Review Analytic Services also conducted one-on-one interviews with a group of thought leaders in the field.
Larger organizations, the survey found, are more alert to the issue: 65% regard cyber attacks and breaches as a significant or very significant threat to their reputation compared with less than half (46%) of smaller organizations. In neither group, however, are most organizations fully prepared for a cyber attack or breach. Only 14% of respondents from smaller organizations agreed that their employer is fully prepared, but even among their counterparts from larger organizations, only 39% agreed. FIGURE 1 The study yielded other key findings:
- Survey respondents are concerned about their ability to respond despite putting structures in place to address cybersecurity issues, and many lack the resources to make those structures work optimally.
- Cybersecurity threats pose risks not just to daily operations but to the organization’s broader strategic goals.
- However, many organizations are not approaching the issue strategically to create effective, cross-functional responses to this business risk.
- Most organizations do not understand the magnitude of the threat that cyber attacks and breaches pose and are not calculating the possible cost of such attacks.
As a result, few organizations are achieving “maturity in cybersecurity,” which includes training all levels of the organization, including employees and first-line leaders, to detect and respond to risks; establishing a strategic plan for cybersecurity; and incorporating cybersecurity into the organization’s vision and risk appetite statements.
This must change. As reliance on digital technology continues to grow, businesses will only see their vulnerability increase. One recent estimate placed the average cost of a future global attack at around $53 billion, although estimates range as high as $120 billion.1 Under one scenario, a single malicious hack taking down a cloud service provider could deliver anywhere from $15 billion to $121 billion in losses.2 Cybersecurity is both an operational and a strategic business risk of the highest order and a threat to the organization’s competitiveness; its customer and client relationships; its ability to function, possibly for long periods; its ability to capitalize on the opportunities the digital age would otherwise afford it; and its bottom line. And concern is rising.
Download the full Survey