Closing the Door to Cyber Attacks

That is a pretty tough question – with these kind of events, many organizations have been very reluctant to acknowledge breaches. That said, even the tip of the iceberg is very large. The average annualized cost of cyber attacks is $8.9m per organization. $120.1BN is the expected size of the global cyber security market in 2017 – an estimated CAGR of 11.3% from $63.7BN in 2011.

In reality, every industry now has many stories of major cyber attacks. Ultimately this has moved the expectation from “never here” to “could happen” to “will happen”. What was different about Sony and a few others was that cyber became an issue to threaten the most important assets of a whole firm and its very existence.

No, there is significant variation by industry. We see a number of factors driving the threat level. One key element is the level of digitization - as digitization takes hold, so the level of attacks recorded increases. Of course, this is driving growth everywhere. Equally important is the benefit to the criminal of accessing the data; for example breaches of financial services or retailer payment systems are more commonly reported than those of medical records. Additionally, one needs to consider that threat scenarios vary for different industries: While it is more classic cybercrime in the financial services industry, manufacturing is more confronted with cyber espionage – and critical infrastructure industries like energy or aviation need to protect against terrorist attacks.

Firms can no longer rely on existing corporate risk management approaches or their IT department’s capabilities; they must implement more far-reaching measures. An overarching Cyber Risk Management Strategy is the starting point, considering cyber risk appetite, high-value asset exposure and protection. Strong capabilities; policy and standards, organization and governance, procedures and technology and infrastructure are required in balance but sit beneath this. Finally, independent compliance and audit are critical to ensure the strategy is being executed.

For sure the proliferation of technologies and the sheer volume of transactions and data exchanged increases the opportunities for Cyber crime. But, they also drive enormous opportunity for businesses. For us the key is to balance the risk and reward, exactly as an enterprise would do for any other business decision. We expect to see a lot more proactive risk decision making and organizations thinking harder about how to mitigate or offset the risks.

Leaders in information security are now recognizing that effective information security is an existential issue that involves the whole company, and it needs to be established as a permanent item on the board’s agenda. Even five years ago shareholders accepted that information security was a technology issue handled by the CIO or even a direct report. Today it demands the attention of the most senior executives.