Article published on Harvard Business Review France.
Take up the challenge of cyber risk and protect your business.
In early 2019, the World Economic Forum recognized cybercrime as one of the biggest risks facing our world today, alongside things like natural disasters and climate change. It makes sense why they’re taking this threat so seriously: Since in 2018, companies of all sizes have suffered piracy, digital robberies and data breaches. In the United States or in France, eight out of ten companies that have been affected by a cyber attack. While it is essential for a company of any size to use innovative technologies such as artificial intelligence, the Internet of Things and robotics—as they offer the potential to generate huge benefits—when integrated into critical business processes and infrastructure they also increase exposure to cyber attacks.
Every time this happens, companies suffer financially, whether by direct loss caused by the theft, business interruption caused while solving the issue, damage to reputation, penalties paid to customers, or legal implications following the new GDPR regulations. And these repercussions aren’t short-lived: The credit union Equifax, for instance, has lost $4 billion since the attack on their customer data in September 2017. Cybercrime-related damages are expected to reach $6 trillion annually by 2021.
And yet, too many businesses aren’t doing nearly enough to protect their businesses. It’s not because they don’t know it’s a threat—it’s because protecting against cybercrime is hard. Cyber threats evolve faster than any defensive barrier, capitalizing on emerging technologies to gain access. There are any number of people interested in getting into your systems, from terrorists to hacktivists, competitors to governments—and there is often little or no evidence of hackers intruding into networks and devices. The scale malicious activity is enough to make even the most proactive business leader feel discouraged and frightened. However, criminal attacks do not happen by chance. They result from the actions of a company, which means that the probability of suffering an attack is determined by the way a company protects itself and by the choices it makes on a daily basis. Companies do not have to facilitate the task of pirates. Here are a few ideas for starting to face the challenge of cyber risk and get serious about protecting your business in 2019.
Build Cyber Protection Into the Core of Your Strategy
Due to the potential impact on the business, cyber risk can no longer be treated as a technical risk only handled by the IT department. Instead, you should start approaching it as a major strategic risk managed by your top management. So take this threat straight to the top. Your company’s leadership should absolutely be bearing the responsibility of protecting your assets—which in today’s world means dealing with cybercrime.
If managed proactively and intelligently, cybersecurity ceases to be a constraint and instead becomes a tool for enhancing competitive advantage. By addressing cyber risk in your strategy, you strengthen the confidence of investors, partners, employees and customers who care about their safety (and, for reference, 92% of Internet users are concerned about the security of their data and the protection of their privacy). Whether your motivations are to follow regulation like GDPR or NIS, or in order to respond to financial or societal pressures, companies of all sizes have no choice but to protect the data they hold and set up effective cybersecurity operations.
1- Understand Where You Most Need Protecting
Not all businesses are vulnerable in the same way; it is up to every company to know their weak points in order to protect themselves effectively. Business leaders must therefore first understand how their most vital assets are connected, everything from information systems and networks to strategic data (like IP, M&A, partner contracts, suppliers, business plans) to even personal data that could have impact if accessed or stolen.
Once you’ve listed out all your assets, map out the types of risks possible by classifying them according to two axes: the probability of that asset being hacked and the level of impact. This should help you hone in on where to focus your protection efforts first.
Then, you’ll need to identify the type of threats your company faces as well as the motivations of potential perpetrators. The most common ways of attaching are phishing, ransomware, malware and taking advantage of security flaws in the cloud. Common motivations for hacking are greed, notoriety, ideology and espionage. Identifying who poses the largest threats to your company can help you build a smarter plan for protecting yourself.
2 - Create a Culture of Protection
Now that you know what you need to protect, it’s time to integrate it into everything you do as a company.
First, there’s the basic layer of “cyber hygiene”—fairly simple steps that, when integrated into operations greatly reduce the possibility and scope of attacks.
- Systematically implement data backups and regularly test the backup strategy.
- Only give users access to the rights they need.
- Compartmentalize resources to limit the spread of a threat.
- Encrypt data to ensure confidentiality.
- Reinforce authentication by using several criteria and not just a password.
- Regularly apply system, network, and application updates to prevent hackers from exploiting known vulnerabilities.
- Deploy security software (antivirus and firewall software), threat detection and response solutions on devices.
- Test your security systems and those of your partners—you might even want to hire some ethical hackers or threat hunters to stress test your systems.
However, beyond the low-hanging fruit of basic hygiene, you need to make sure protection is built into your very company culture—starting with your people. Because ignorance of risk is still regularly exploited by criminals, every employee, regardless of their position, must be fully aware that they play a key role not only in the growth of their organization but also in its protection against external and internal threats. This means training your employees on simple yet effective tactics for protection in their professional and private lives—but it also means ensuring you have a culture that is clearly open to feedback or information on incidents, anomalies, mistakes or worries. The entire internal culture of the company plays a major role in securing operations—don’t let a single cog threaten the whole machine.
An extended version of this post has been published in the Harvard Business Review France.