In 2017 the NotPetya virus was able to spread via an Ukrainian tax preparation program, affecting operations of more than 80 global companies in several industries causing a global economic damage of more than 10 Billion dollars. This is one example of a big cyberattack with major consequences and a big influence on all related stakeholders. Besides major well known cyberattacks the amount of daily (smaller) attacks is increasing and the different types, ways and surfaces of attacks are changing.
The government, regulators and auditors are also paying increasing attention to such cyberattacks and the associated risks. They check security related practices and draw up guidelines and policies for companies. However this is accompanied by the risk that companies only pay attention to those set requirements in order to be compliant. This does not guarantee any safety from cyber-attacks. Cyber-attacks are unavoidable, and therefor companies should be as well prepared as possible with a properly prepared strategy.
Most companies do not yet understand the strategic importance of their cybersecurity. Cybersecurity is responsible to protect all systems used to process or store data and information within a company. It is highly important because nowadays companies work with enormous amounts of (sensitive) data which needs to be thoroughly protected from attacks, damages or unauthorized access. However, Cybersecurity is often seen as a kind of burden, operational issue and a form of cost. This can be explained by the following aspects:
First of all, in most companies cybersecurity is only delegated to IT. Which is seen as an internal service provider instead of a provider of strategic advantage. Secondly, most companies view cyberattacks as random and unpredictable. However, every company has a chance of being cyberattacked, which therefor makes it somehow predictable and a way to uncover weak spots in a company’s strategy. Third, companies that have previously been victims of cyberattacks tend to keep this as private as possible. This ensures that companies cannot learn from each other’s mistakes or solutions and best ways to respond. Last, most supervisors tend to focus on their own fields of expertise when it comes to their strategic priorities, which most of the time does not include cyberattack-related concepts.
A cybersecurity strategy is a structure that includes multiple components developed to respond to challenges of setting up, maintaining and refining the cybersecurity system within a company. This should be seen as an opportunity (rather than a cost) and treated on a strategic (rather than operational) level. Previous victims of cyberattacks were not only exposed to weaknesses in their cybersecurity but also in other non-related business parts. A more strategic oriented strategy will therefor lead to a better integration and cooperation between business and IT.
As mentioned before, cyber-attacks are unavoidable and therefor companies should start strategic planning before they occur rather than after. Companies can identify strategic opportunities and create discussions to form suitable strategic approaches, by proactively addressing the following 4 elements:
1. Companies must protect their business to cyber-attacks, however most cybersecurity spending is mainly focused on the IT infrastructure. With a more strategic approach this would shift towards a more stratified protection with a deeper knowledge of key business processes in order to decrease the companies vulnerability.
2. Executives should broaden awareness of cyberattacks to develop a more suitable cybersecurity strategy. In order to do so, they should look for external connections and information provision from experts at organizations specialised in this field.
3. Companies should manage the potential consequences of an attack by openly communicating and sharing information with their stakeholders. This can lead to positive customer feedback and stakeholders offering help to cybersecurity related practices. When openly discussing risks and a potential attacks you are reassuring and informing your stakeholders about your cybersecurity strategy and actions.
4. Once a company is victimized by a cyber-attack it should follow a plan including a recovery approach and strong response. A company response should first focus on the recovery and make sure they offer high-level leadership support to the technology teams during this process.
In conclusion, cybersecurity is not only related to an IT issue. It needs everyone involved in the network to be attentive, oversight by the board, support from leaders and risk minimization in combination with a suitable and proper response plan set up from and on organization level. In order to be capable of staying ahead of new emerging cyberattack related risks, getting and staying involved in sharing information opportunities is critical.
Considering the enormous consequences and negative impact of such cyber attacks, the fact that there are currently several great examples of cyber attacks and their devastating power along with the fact that it is no longer a completely new concept. I personally think it is remarkable that many companies are still not focused on developing a propper cybersecurity strategy.
I am curious about your opinion and ideas behind the reason that many companies still do not have clear and good focus on cybersecurity strategies, please let me know!
References:
https://digitalguardian.com/blog/what-cyber-security
https://sloanreview.mit.edu/article/cybersecurity-for-a-remote-workforce/
https://search-proquest-com.eur.idm.oclc.org/docview/1788740238
https://sloanreview.mit.edu/article/make-cybersecurity-a-strategic-asset/?use_credit=976a4a7a6d095c7d3c035eb726ba0f04
https://www-degruyter-com.eur.idm.oclc.org/view/journals/cri/14/5/article-p136.xml?rskey=GoCJBf&result=3
https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/top-cybersecurity-concerns-hr-2019.aspx
https://search-proquest-com.eur.idm.oclc.org/docview/2126525526
Hi Kiki, very interesting post regarding cybersecurity and how it should be an strategic asset.
You have adressed four different elements but I think a fifth should be added. In the thirth point you mention that consequences of an attack should be openly shared with stakeholdres but I think this should be taken even further, collaborations should take place.
Nowadays hackers often target their “main goal” by accessing through other parties/systems. As companies operate in a dynamic environment they are constantly sharing and gathering data with other parties such as suppliers and consumers. In order to improve cybersecurity, companies should proactively reach out to third parties so they can adress these issues together, reducing the risk of being compromised.
Floris