With an onslaught of bad cyber news this week, is cyber even worth the risk and how should corporate Directors be looking at this issue? This week saw the high profile breach of 4 million employee records at the U.S. Office of Personnel Management by alleged Chinese hackers and the news that even the security experts are getting hacked, with Kaspersky Labs reporting a breach supposedly committed by a nation state.
American President Barack Obama also made cyber security an emphasis of his G7 talks in Germany this week commenting that the US government needs to be more "nimble, aggressive and well-resourced" to combat this ongoing threat. He also urged the U.S. Congress to pass the 2015 Cybersecurity Information Sharing Act, a first step in a coordinated and systemic public/private response to cyber risks.
And the attacks show no signs of slowing down. PwC's 2015 Global State of Information Security Survey indicates a compound annual growth rate of 66% for cyber incidents since 2009. The 10,000 respondents to their survey reported almost 43m detected incidents during 2014 alone—or 117,339 incoming attacks, every day of the year.
Is cyber worth the risk? Yes, but with a caveat. Without a doubt the many innovations currently taking place with today's information technologies open up many new vulnerabilities. Risks are now difficult to isolate, and a protect and defend model is not effective against the systemic risks inherent across any corporate ecosystem.
Attacks can also come from a growing list of sources including hacktivists, foreign and domestic nation states, customers, employees, partners, consultants, competitors, organized crime and the bored neighbors kid living in the basement and surviving on a diet of Cheetos, Red Bull and your weak IT security infrastructure. The direct and indirect costs of mounting an effective cyber security defense are only getting more expensive and the risks are only increasing.
Despite this, these technologies also have an upside—a significant one as they are now competitive table stakes, as new business tools always are. These tools are changing market dynamics and customer preferences and the technologies embody distinct economic advantages such as the lowering of transaction and engagement costs. Business models and competitive advantages are changing as a result of these tools.
These tools are shaping and defining business success, but the risks are holding many companies back. Which takes us to the caveat. The upside of these technologies outweighs the downside.
Cyber is worth the risk, but Boards, Directors and Managers need to be actively looking to exploit the business advantages of these tools, while at the same time mounting a "a nimble, aggressive and well resourced" approach to mitigating these incessant risks.
This is easier said than done; 89% of companies listed on the Fortune 500 in 1955 are no longer on the list. Business cannibalizes the companies that can't capitalize on the opportunities presented by changing market conditions, including new technologies.
Directors need to be diligent in overseeing cyber risk as part of a comprehensive IT governance and enterprise risk management approach. But they also need to be on top of governing cyber opportunity—that's the only way that they can make cyber security risk worth it.