With cyber risk and the impact of breaches at an all-time high, the C-Suite must make data security one of its top priorities in 2018 – once and for all dropping the obsolete notion that defending the enterprise is mainly the responsibility of IT and truly looking at security from a business rather than a technology view.
Why? Because like the spreading roots in the Upside Down on "Stranger Things," the consequences of a successful attack can permeate an entire organization in multiple ways, often resulting in more damage than the company expects or is prepared for.
There's the hit to the bottom line and shareholder value, of course. In August, for example, shipping company Maersk reported a quarterly loss of about $200 million-$300 million due to the NotPetya ransomware attack while FedEx blamed the outbreak for a $300 million loss in its TNT Express subsidiary.
Severe cyber incidents also tend to be poison for companies' stock prices, causing an average decline of 1.8 percent, permanently, according to a report by security consultant CGI and Oxford Economics. In some cases, attacks have stripped as much as 15 percent from companies' valuations, the report said. A study by Ponemon Institute found that companies can expect a 5 percent stock price drop the day a breach is announced.
Many companies rely on insurance to cover at least part of their losses from business disruption and related costs such as customer breach notification, regulatory compliance, lawyer fees and public relations. But it's naïve to think the repercussions from a cyber assault are restricted to lost earnings and increased expenses. The long-term harm to a company can be formidable, multi-faceted and take years to recover from.
According to Cisco's 2017 Annual Cybersecurity Report, more than 20 percent of businesses struck by data breaches the previous year experienced not only revenue declines but substantially lost customers and business opportunities.
A Deloitte study pointed out that the costs of a breach fall into two categories: "above the surface," such as customer notification, regulatory compliance and cybersecurity improvements, and "below the surface" charges that can linger for years. These include insurance premium increases, increased cost to raise debt, operational disruption, long-term damage to brand reputation and loss of competitive edge.
Insurance company Lloyd's warns that because of these "slow burn" costs, companies could face a bigger toll from a cyber attack than they see ever saw coming.
Target, the victim of a notorious attack during the 2013 holiday season that affected more than 41 million of the company's customer payment card accounts and contact information for more than 60 million customers, is a vivid example of how the costs can pile up.
The retailer's net earnings plummeted 46 percent, or $441 million, during the quarter the breach was disclosed. The company has since tagged the additional total cost of the data theft at $202 million. And in May, Target said it will pay $18.5 million as part of a multistate settlement, the largest ever for a data breach. The attack and its handling inside the company also led to the resignation of CEO Gregg Steinhafel after 35 years with the company.
All of this is overwhelming evidence that the company leaders need to be thinking about the wide range of devastation that a major data breach can leave behind, and act accordingly.
An EY study showed that 62 percent of companies have not aligned their cybersecurity strategy to their business strategy or their risk appetite. That's a shocking number, and it ignores the crisis-level threat that cyber intrusions have become and the C-suite's obligation to consider better security a top business priority.
Here are five immediate steps that the CEO and other company leaders can take:
1. Incorporate cybersecurity threats into the company's overall enterprise risk management strategy and process. Rather than treating it as mainly an IT problem, overseen by the chief information officer and the chief information security officer, this path ensures that cyber risk is placed on the same level as any other risks to the company and receives cross-C-suite attention.
2. Avoid a penny wise and pound foolish approach to cybersecurity investment – i.e. cutting corners on technology and expertise to save money, only to lose much more after a breach. The ability to apply the right resources is another reason that the business case for mitigating cyber risk must be made as strongly as possible inside organizations.
3. Understand that cybersecurity is now a top issue for the board. Rather than responding to this increased concern with a rote agenda item at board meetings, handled with jargon-filled PowerPoint presentations, seize on it as an opportunity to fuel a discussion about the company's security posture, where gaps exist, how risk is being mitigated, and how to measure and establish benchmarks on the number, nature and extent of vulnerabilities.
4. Cybersecurity is everyone's responsibility. Stop thinking of it as the CIO's and the CISO's domain and start viewing it as a Job #1 for all company leaders. For example, CFO's haven't traditionally been thought of as a core member of security teams, but who better understands the business, the financials, critical investments and the impact of risk? Cybersecurity requires a partnership across the C-suite and that should include the CFO and any other non-traditional voices that can have a positive influence.
5. Make better employee training a mandate from the top. Since many breaches begin as phishing attacks that trick victims into clicking on an infected link or document in an email, companies should institute more regular and comprehensive employee training. To amplify the seriousness, better education and training should come across as a major priority from on high.
In 2018, it will be crucial for companies to place cybersecurity front and center as a business issue, not just a technology issue, and reflect that thinking in everything it does.
Brian Cohen is CFO of BitSight, which provides companies with security ratings.