Among all the myriad worries faced by global leaders, they placed cybersecurity threats above all other major concerns. These include the risk of disruption caused by income inequality and the job losses arising from technological advances; societal and ethical implications of artificial intelligence; and the impact of climate change. Topping this list of global anxieties is no small feat.
Here’s what’s particularly interesting about cybersecurity’s top-ranking: this threat is not new news. It’s been a problem for decades, with near constant discussion and focus in white papers, conferences and news publications. So why now? Why have CEOs called cybersecurity the number one threat to the immediate future? What has changed in the environment to vault cybersecurity to the top of the heap of global worries?
Some of the reasons for cyber-anxiety are long-standing and well-known. There is of course huge financial risk associated with cybersecurity – in both prevention and recovery. Companies that fall victim to cyber breaches can lose money, pay heavy fines and perhaps most significantly lose the trust of their clients and employees.
Yet, the risk goes beyond the purely financial: cybersecurity is a systemic threat and an existential threat. As we have seen in recent years, a significant cyberattack can spread disruption far and wide. It does not just impact a single business; it can impact multiple businesses and their supply chains, as well as national and local government infrastructure.
Another recently evolving reason why cyber threats have become so dangerous is that they are increasingly interlinked with other major threats facing CEOs, as the CEO Imperative Study highlighted. In a politicized and activist environment, cyber threats now closely link to some of the most daunting challenges the world wrestles—including climate change, digitization, geopolitical instability and social inequality.
In the past, cyber threats tended to be fuelled by greed and opportunism – perpetrators looking to extort money from organizations and individuals. While these motivations still exist, anger and activism are an increasingly important driver as well. Cyber-attacks are launched simply because the perpetrator wants to make a point, whether it be about the politics of an organization, the damage it is inflicting on the environment or the harm it is causing to society. As the tools used to enable a cyber-attack, become increasingly ubiquitous (and user friendly), we will see the continued increase in ‘hacktivists’ – activists who take action with the aim of using technology to hold large companies and other systemically important organizations to account.
The loss of jobs to automation also stands to be a huge driver of cyber-attacks over the next decade. Even highly educated and skilled workers are at risk of dislocation due to increasingly powerful systems and automation. These highly capable people – particularly those with technology backgrounds – may well engage in cybercrime as a way to both make money and protest against their lot. A rise in fraud and other types of financial crime is a predictable result.
The bad news is that these CEOs’ concerns are well-founded, and the risk is not likely to abate any time soon. And the worse news is that as the ranks of the angry and discontented grow, it won’t be easy to proactively identify hacktivists and cyber criminals, let alone anticipate their attacks. Nevertheless, CEOs can take some practical steps to help mitigate their organization’s exposure to cyber risk:
1.Be aware of the need to protect your brand in today’s politicized and activist world. Your brand needs to have the trust of consumers, employees, and the supply chain. If any of these parties lose trust in your brand, cybersecurity attacks may follow.
2. Work closely with your national government to understand the regulatory landscape in your country and which local enforcement agencies exist. That way you will know who to contact in an emergency.
3. Collaborate with peers within your industry and sector to share insights and knowledge so that you can raise the collective level of awareness and preparedness.
4. Work with experts who understand how cyber risk varies in the various markets in which your organization operates, and the programmatic controls that should be put in place for protection. To enhance the Board’s confidence, consider hiring an independent/objective third-party to evaluate and verify the effectiveness of your programmatic controls.
5. Make sure you have an effective, risk-based cybersecurity program in place today. Many organizations fail to properly consider cyber risk until they are required to comply with new regulations, or their auditor tells them to act. In fact, cyber management should be ingrained within the DNA of an organization in just the same way that brand management is. The cyber implications of any project should be thought through at the start and the entire organization should have a mindset of security by design.
Today, many businesses treat cybersecurity simply as a compliance exercise, delegated a level or two into the organization. And yet, the leaders of the world’s biggest companies believe that it will be the number one threat to the global economy over the next decade.
The post "How cybersecurity became the number one threat in the global economy for CEOs"
was written by Kris Lovejoy, EY Global Advisory Cybersecurity Leader.