What we know about cyber-risk from public sources is just the tip of the iceberg. Nevertheless, the known dangers are sufficiently grave to have seized the attention of senior corporate executives worldwide. There is a huge amount at stake for businesses, both financially and reputationally. Estimates vary widely, but almost all put the current annual cost of cybercrime to business globally at over $1 trillion. The most commonly cited analysis predicts that, by 2025, that number will reach $10.5tn.
Several dangers have an understandably high profile in the media and boardrooms. Ransomware currently tops almost every list, given the highly substantial payoffs that hackers can demand. In 2021, CNA Financial, a Chicago-based insurance company, handed over $40 million.
On top of any ransom come the potentially higher costs of the business downtime that usually follows an attack, which typically lasts around three weeks. And cyber-risk is growing exponentially. In EY’s 2021 Global Information Security Survey, 77% of respondents reported an increase in disruptive attacks such as ransomware over the preceding year – a rise from 59% in the 2020 survey.
Being caught in the crossfire of geo-political conflict, such as the Russia-Ukraine war, is another current worry. This is prudent: worldwide collateral damage from the 2017 NotPetya virus, likely created as a Russian attack on Ukraine, totalled billions of dollars. Meanwhile, companies have had to react to a tsunami of data-privacy regulation. A Gartner study predicts that, by next year, 65% of the world’s population will have its personal data covered by modern data privacy regulations, such as the EU’s GDPR. In 2020, that figure was just 10%.
Missing the wood for the trees
However, while boards understand that these and other individual cyber-risks exist, they frequently fail to see the bigger picture. Too many executives conceptualize the dangers as a series of sizable technology challenges. Boards, in contrast, tend to gloss over technology problems or treat them as a responsibility that lies elsewhere within the company. As a result, rather than developing a holistic, business-wide strategy to tackle cyber-risk, the response can seem like a high-stakes game of “whack-a-mole”, with technological fixes cobbled together to address each threat as it pops up.
This kind of approach constitutes a failure to appreciate the sheer breadth of cyber-risk; the dangers affect not only IT systems but every aspect of business. Executives must understand that far more than data is at stake. Physical and cyber-spaces are now inextricably intertwined. A hack of a hotel chain, for example, could just as easily compromise key cards to provide access to rooms as they could record keystrokes that result in a leak of confidential data. The risks here go far beyond compliance. In such an environment, the already substantial reputational costs of a data breach will only multiply.
There are some key aspects of cyber-risk that may still be under-appreciated but are crucial to helping boards and executives assess how best to prepare an organization’s defenses in the face of proliferating threats.