FacebookFacebook icon TwitterTwitter icon LinkedInLinkedIn icon Email

in collaboration with Andy Ng, EY EMEIA Cyber Partner

Don't play Russian roulette with your security


Don’t play Russian roulette with your security

Published 27 October 2022 in Magazine • 10 min read • Audio availableAudio available

Every part of your business is at risk, not just the IT system, and new regulations are opening the way to litigation and fines for those who do not put their house in order.

What we know about cyber-risk from public sources is just the tip of the iceberg. Nevertheless, the known dangers are sufficiently grave to have seized the attention of senior corporate executives worldwide. There is a huge amount at stake for businesses, both financially and reputationally. Estimates vary widely, but almost all put the current annual cost of cybercrime to business globally at over $1 trillion. The most commonly cited analysis predicts that, by 2025, that number will reach $10.5tn.

Several dangers have an understandably high profile in the media and boardrooms. Ransomware currently tops almost every list, given the highly substantial payoffs that hackers can demand. In 2021, CNA Financial, a Chicago-based insurance company, handed over $40 million.  

On top of any ransom come the potentially higher costs of the business downtime that usually follows an attack, which typically lasts around three weeks. And cyber-risk is growing exponentially. In EY’s 2021 Global Information Security Survey, 77% of respondents reported an increase in disruptive attacks such as ransomware over the preceding year – a rise from 59% in the 2020 survey.

Being caught in the crossfire of geo-political conflict, such as the Russia-Ukraine war, is another current worry. This is prudent: worldwide collateral damage from the 2017 NotPetya virus, likely created as a Russian attack on Ukraine, totalled billions of dollars. Meanwhile, companies have had to react to a tsunami of data-privacy regulation. A Gartner study predicts that, by next year, 65% of the world’s population will have its personal data covered by modern data privacy regulations, such as the EU’s GDPR. In 2020, that figure was just 10%.

Missing the wood for the trees

However, while boards understand that these and other individual cyber-risks exist, they frequently fail to see the bigger picture. Too many executives conceptualize the dangers as a series of sizable technology challenges. Boards, in contrast, tend to gloss over technology problems or treat them as a responsibility that lies elsewhere within the company. As a result, rather than developing a holistic, business-wide strategy to tackle cyber-risk, the response can seem like a high-stakes game of “whack-a-mole”, with technological fixes cobbled together to address each threat as it pops up.

This kind of approach constitutes a failure to appreciate the sheer breadth of cyber-risk; the dangers affect not only IT systems but every aspect of business. Executives must understand that far more than data is at stake. Physical and cyber-spaces are now inextricably intertwined. A hack of a hotel chain, for example, could just as easily compromise key cards to provide access to rooms as they could record keystrokes that result in a leak of confidential data. The risks here go far beyond compliance. In such an environment, the already substantial reputational costs of a data breach will only multiply.

There are some key aspects of cyber-risk that may still be under-appreciated but are crucial to helping boards and executives assess how best to prepare an organization’s defenses in the face of proliferating threats.

Don't play Russian roulette with your security

Threats from outside and inside

One is that a hack isn’t necessarily the work of an outsider. Corporate insiders pose a significant cyber threat, accounting for 28% of breaches, according to respondents to the 2021 EY Global Information Security Survey. The survey also indicates that this number is growing. If history is anything to go by, the current economic turmoil could drive even more employees to perpetrate such desperate acts.

Trusted partners and clients may also pose substantial threats. We know of one British plastics molding company that went out of business after an overseas customer used its privileged access to another firm’s IT systems to steal intellectual property. Armed with this information, the customer went on to become a cut-rate competitor. It is extremely unlikely that this story is unique.

Rather than developing a holistic, business-wide strategy to tackle cyber-risk, the response can seem like a high-stakes game of whack-a-mole, with technological fixes cobbled together to address each threat as it pops up

An insider might also be a vector through which other bad actors can take advantage, including through their personal IT tools or via social engineering tactics. Criminals no longer limit themselves to a business’s in-house hardware, and have grown increasingly sophisticated in detecting, understanding, and attacking weak points in a business’s technological ecosystem.

As a result, vendors and other third parties throughout the supply chain also offer a way in. Rather than attacking a target company directly, hackers research the target company’s supplier network. They then look for the weakest link, which allows them to break into the rest of the chain. Moreover, an increasingly popular approach is to slip malicious code into software suppliers’ products, potentially providing access to hundreds of supply-chain networks.

Once embedded within corporate systems, criminals have also begun to show an unnerving degree of patience. In 2018, a leader in the hospitality industry suffered a major data breach, which involved confidential details of 500 million guests. This occurred following an acquisition of a company that had already been infiltrated prior to the deal, affording the hackers easy access to the combined entity. We also know of cases where, during merger negotiations, hackers have broken into the smaller company’s less-well-protected systems, so that, following the merger, the hacker ends up with access to the IT system of the combined firm.

An interconnected risk to the whole company

As the above makes clear, cyber-risk can affect the whole ecosystem — including human resources, sales, and purchasing — even mergers and acquisitions. As business units and departments become more closely connected and silos break down, cyber-risk will be a threat to the whole business.

Digital transformation brings with it a range of opportunities. However, everything that is digital – including the vast array of sensors and artificial intelligence (AI) tools that companies now deploy – is a potential target. Nor are hackers showing a lack of ingenuity or ambition. In 2017, Darktrace, a cybersecurity consultancy, reported that criminals had infiltrated a US casino’s entire system via a weakness the hacker had detected in an automated fish-tank thermometer, ultimately securing 10GB of data.

Unfortunately, an organization’s wider digitalization efforts rarely accord cybersecurity the attention it merits. In fact, while the pandemic drove increased digitalization, 81% of executives admitted that it also forced their organization to bypass certain cybersecurity processes or controls.

Regulatory and investor scrutiny are coming

All this is to underline that companies must recognize that cyber-risk has become a strategic threat, rather than simply an operational one. Those that fail to accept this reality may soon have it forced upon them in any number of ways, with a harshness from which they will find it difficult to recover.

Just as regulation put environmental, social and governance (ESG) issues on boardroom agendas, so it will do for cybersecurity. “Soft” law is already growing, such as the IEC 62443 standards that cover cybersecurity requirements in automation and control equipment. As noted above, data-privacy regulations will soon become the norm for most of the world’s population. In the summer of 2022, the New York Department of Financial Services – which covers much of the US financial sector – has proposed a series of additional cybersecurity requirements in their regulations. These include a mandatory 24-hour formal notification of cyber-ransom payments; an explanation, to be submitted within 30 days of such a payment, indicating why it was necessary; an annual independent cybersecurity audit; and heightened requirements around cybersecurity expertise on boards. Looking ahead, as new cyber-threats appear, new regulation will follow with the potential for an increase in the volume of related litigation and fines.

Rather than attacking a target company directly, hackers research the target company’s supplier network. They then look for the weakest link, which allows them to break into the rest of the chain

Nor are regulators the only external stakeholders showing increased interest. The UK government’s Cyber Essentials scheme is just one example of a purchaser requiring a certain level of security from its suppliers. Insurers will almost certainly become increasingly reluctant to underwrite those businesses unable to demonstrate a basic degree of cybersecurity.

Finally, although historically cybersecurity has not been an area on which companies have commented publicly, except when legally required to do so following a breach, now, investors are demanding transparency. Companies are increasingly expected to include this information in their non-financial reporting.

If the past is anything to go by, market capitalization will be at stake. The valuation implications of security breaches and, more generally, of cybersecurity are well documented. Announcement of such a breach, for example, is associated with a statistically significant drop in the value of stock, a phenomenon which has an outsized effect on financial services companies. On the positive side, excellence in cybersecurity can provide a competitive advantage and raise the market value of the company as a whole. Academic studies show a strong link between cybersecurity awareness and higher stock prices

Managing cyber-risk

Progress has been made in managing cyber-risk using a business-wide lens, but this remains far from universal. In 2021, for example, only 44% of companies had at least one identified person reporting to the board on cybersecurity. And just a third of companies (34%) provides management reports to the board on cybersecurity issues at least once a year. That said, while only a minority of businesses have taken these basic steps, the proportion is still much higher than in 2018, when the equivalent figures were just 26% and 18%, respectively.

As businesses begin to put in place structures to address cyber-risk, they will inevitably need to adapt them to their own corporate attributes and threat environment. Nevertheless, all businesses should consider a common set of points in their management of these issues.

To begin with, cybersecurity needs to be multi-tiered, with each level taking a holistic, company-wide approach. The first tier consists of senior professionals, not only from IT but from across the business. Such breadth of effort is essential. Until the whole company embraces the challenge collectively, effective, company-wide security cannot be achieved. Ideally, this should be coordinated through a multi-functional committee. More important is that every department actively supports cybersecurity in some way, aligning its activities with business needs. Here are a few examples:

  • IT experts provide technical knowledge where needed.
  • Procurement should actively manage supply chain cyber-risk, including preparing an appropriate response in the event that a supplier succumbs to a cyberattack.
  • Legal and compliance experts should strive to ensure that the company fulfills all relevant regulatory responsibilities.
  • Finance executives should assess, in the context of sector, company profile, and so forth, the level of investment in cybersecurity required to support the business strategy.
  • Corporate communications should inform outside stakeholders of the company’s security aims and develop plans for how to deal with the media in the event of a breach.
  • Perhaps most important of all: talent professionals should provide relevant companywide training and help inculcate a culture of cyber-risk awareness.

Getting cyber-skills and training right

In order to support this multi-tier cybersecurity strategy, companies need to begin with education and training. Modifying employee behavior is as critical to addressing cyber-risk as questions of governance or technology.

While better cyber-training is necessary across the company, two concerns are particularly pressing. A skills shortage in candidates for the position of CISO, or whoever has responsibility for managing cyber-risk, is one. Too often, the CISO has reached that position by dint of their effectiveness in managing other areas of IT and is still in need of specific training.

Digital transformation brings with it a range of opportunities. However, everything that is digital – including the vast array of sensors and artificial intelligence (AI) tools that companies now deploy – is a potential target

Boards may also lack the requisite skills. Although the proportion of online board biographies that mention cybersecurity experience is growing, most would still fail a cybersecurity exam. Nor are board members likely to be up to date with current cyber-risks. In EY’s Global Information Security Survey, for example, 86% of directors said that their board had not participated in a breach or ransomware simulation exercise in the last year. If audit committees, and indeed risk committees, are to do their jobs properly, they will need to understand cyber-risk thoroughly.

A shared perception of best practice and the nature of success

In addition to better training, companies require a shared, high-level understanding of what cybersecurity best practice looks like. Culture, training, governance, processes, as well as relevant software and hardware, must all be in place to prevent attacks. The creation and tracking of relevant key performance indicators are as necessary here as elsewhere in management.

Equally important is recognition that every business will, sooner or later, be the target of a cyberattack. Rather than harboring unreasonable expectations of impenetrable security, companies should take a practical approach, developing and regularly testing measures using simulations and cyber incident response plans. This ensures that everyone, from the board through customer-facing roles and communication to IT, is prepared to respond when an attack comes.

Cybersecurity arrangements that cover all these bases will minimize the impact of cyber-risks and, more importantly, provide the knowledge and understanding of the business implications of cyber-risk that are required of today’s executives.


Mitchell Sherr

Mitchell Scherr

CEO of Assured Cyber Protection

Mitchell Scherr is the CEO of Assured Cyber Protection, a cyber technology company. He is a regular keynote speaker, media commentator and expert on digital technologies

Salvatore Cantale - IMD Professor

Salvatore Cantale

Professor of Finance at IMD

Salvatore Cantale is Professor of Finance at IMD. His major research and consulting interests are in value creation, valuation, and the way in which corporations structure liabilities and choose financing options. Additionally, he is interested in the relation between finance and leadership, and in the leadership role of the finance function. He directs the Finance for Boards program and co-directs Driving Sustainability from the Boardroom.

Jeanne Boillet

Jeanne Boillet

Global Account Committee – Assurance Lead partner at EY

Jeanne Boillet is Global Account Committee – Assurance Lead partner at EY. She leads the Vanguard initiative, an acceleration platform to prepare for the audit of the future.


CEO Dialogue with Danone

Nurturing sustainable growth at Danone

21 March 2023 in Magazine

Antoine de Saint-Affrique, in a frank and open discussion with IMD President Jean-François Manzoni, explains his no-nonsense approach to problem-solving, the importance of speaking the truth, however uncomfortable, and knowing when it’s...

Learn Brain Circuits

Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
Read more 

Explore Leadership

What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
Read more

Join Membership

Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
Sign up

You have 4 of 5 articles left to read.