Cybersecurity

Cyber Attacks Can Wreak Havoc on the Business in Multiple Ways

Brian Cohen | June 18, 2019

The past few years have shown us that the cybersecurity landscape has only gotten more complex, as massive attack after massive attack —WannaCry and NotPetya ransomwares, at Uber Technologies in 2016, from the Shadow Brokers group, and many more — jolted enterprises around the world.

With cyber risk and the impact of breaches at an all-time high, the board and the C-suite must make data security one of their top priorities in 2019—once and for all dropping the notion that defending the enterprise is mainly the responsibility of the IT department and truly looking at security from a business rather than purely a technology perspective.

Why? The consequences of a successful attack can permeate an entire organization in multiple ways, often resulting in more damage than the company expects or is prepared for. 

There’s the hit to the bottom line and shareholder value, for starters. For example, after one of the most infamous recent ransomware attacks, NotPetya, shipping company Maersk reported a quarterly loss of about $200 million—$300 million while FedEx Corp. blamed the outbreak for a $300 million loss in its TNT Express subsidiary.

Severe cyber incidents also tend to be poison for companies’ stock prices, causing an average decline of 1.8 percent permanently, according to security consultant CGI and Oxford Economics. In some cases, attacks have stripped as much as 15 percent from companies’ valuations, the report said. A study by Ponemon Institute found that companies can expect a 5 percent stock price drop the day a breach is announced.

Many companies rely on insurance to cover at least part of their losses from business disruption and related costs, such as customer breach notification, regulatory compliance, lawyer fees, and public relations. But it’s naïve to think the repercussions of a cyber assault are restricted to lost earnings and increased expenses. The long-term harm to a company can be formidable, multifaceted, and take years to recover from.

According to Cisco’s Annual Cybersecurity Report, more than 20 percent of businesses struck by data breaches the previous year experienced not only revenue declines, but substantial loss of customers and business opportunities. 

A Deloitte study pointed out that the costs of a breach fall into two categories: “above the surface” issues, such as customer notification, regulatory compliance, and cybersecurity improvements, and “below the surface” charges that can linger for years. These include insurance premium increases, increased cost to raise debt, operational disruption, long-term damage to brand reputation, and loss of competitive edge. 

Insurance company Lloyd’s warns that because of these “slow burn” costs, companies could face a bigger toll from a cyber attack than they ever see coming.

All of this is overwhelming evidence that company leaders need to be thinking about the wide range of devastation that a major data breach can leave behind, and act accordingly. 

Here are five immediate steps that corporate directors and other company leaders should take:

1. Incorporate cybersecurity threats into the company’s overall enterprise risk management strategy and process. 

Rather than treating it as mainly an IT problem, overseen by the chief information officer (CIO) and the chief information security officer (CISO), this path ensures that cyber risk is placed on the same level as any other risks to the company and receives cross-C-suite attention.

2. Invest in your cybersecurity program.

Do not cut corners on technology and expertise to save money, only to lose much more after a breach. The ability to apply the right resources is another reason that the business case for mitigating cyber risk must be made as strongly as possible inside organizations.

Ultimately, process improvement remains separate from technology solutions. It’s critical for organizations to not only invest in their cybersecurity program, but also know their weaknesses and make sure they have the right solutions in place to close that gap. It’s also important to focus on improving and maintaining processes and controls, not simply buying more and more new technologies and expecting them to solve the structural issues within an organization.  

3. Understand that cybersecurity is now a top issue for fellow directors.

Rather than responding to this increased concern with a rote agenda item at board meetings, handled with jargon-filled PowerPoint presentations, seize on it as an opportunity to fuel a discussion about the company’s security posture, where gaps exist, how risk is being mitigated, and how to measure and establish benchmarks on the number, nature, and extent of vulnerabilities.

4. Cybersecurity is everyone’s responsibility. 

Stop thinking of it as the CIO’s and the CISO’s domain and start viewing it as a priority for all company leaders. For example, CFOs haven’t traditionally been thought of as a core member of security teams, but who better understands the business, the financials, critical investments, and the impact of risk? Cybersecurity requires a partnership across the C-suite and that should include the CFO and any other nontraditional voices that can have a positive influence.

5. Make better employee training a mandate from the top.  

Since many breaches begin as phishing attacks that tricked victims into clicking on an infected link or document in an email, companies should institute more regular and comprehensive employee training. To amplify the seriousness, better education and training should come across as a major priority from on high.

This year and beyond, it will be crucial for companies to place cybersecurity front and center as a business context issue, not just a technology issue—and to reflect that thinking in everything it does.

This post was originally published on the NACD BoardTalk blog.

cybersecurity performance management

Suggested Posts

Why Bayer Chose BitSight

Companies must build a “trust and verify” strategy when it comes to managing third party risk. Requesting documentation about a supplier’s security performance is good – but how can you verify it? How can you continuously review...

READ MORE »

Forecasting and Advanced Analytics: Building a Solid Security Strategy For 2020

2020 is not only the beginning of a new year, but the start of a new decade, and with it comes the dawn of a new era for the digital world. We’re now in the midst of the once far-off, “futuristic” time periods old books and movies used to...

READ MORE »

BitSight Honored as CRN® Tech Innovator Award Winner

In recognition of our groundbreaking innovation and true differentiation in serving the IT channel, we’re proud to announce that the BitSight Peer Analytics solution has been selected as a winner in the CRN 2019 Tech Innovator Awards.

READ MORE »
ctab-img-1@2x

CISOs have a tough job.

How can they gain buy-in to improve security program effectiveness?

Read The Guide

Subscribe to get security news and updates in your inbox.