Cybercrime is taking on ever more and ever new forms – from data theft or forgery to computer sabotage or cyber espionage to improper handling of company information by staff, suppliers, or other business partners. And malicious cybercrime is only part of the problem. Defensive approaches to combat the threat must keep pace. Firms can no longer rely on existing corporate risk management approaches or their IT department’s capabilities; they must implement more far-reaching measures. Effective information security is an issue that involves the whole company, and it needs to be established as a permanent item on the board’s agenda. The challenges are multidimensional and call for a broad approach to risk assessment. Oliver Wyman has identified the key criteria that determine the success of sustainable information security management.
1How significant a problem have cyber attacks become for enterprises and governments?
That is a pretty tough question – with these kind of events, many organizations have been very reluctant to acknowledge breaches. That said, even the tip of the iceberg is very large. The average annualized cost of cyber attacks is $8.9m per organization. $120.1BN is the expected size of the global cyber security market in 2017 – an estimated CAGR of 11.3% from $63.7BN in 2011.
2How has the Sony attack and ones like it changed perception?
In reality, every industry now has many stories of major cyber attacks. Ultimately this has moved the expectation from “never here” to “could happen” to “will happen”. What was different about Sony and a few others was that cyber became an issue to threaten the most important assets of a whole firm and its very existence.
3Do you see a similar impact across all industries?
No, there is significant variation by industry. We see a number of factors driving the threat level. One key element is the level of digitization - as digitization takes hold, so the level of attacks recorded increases. Of course, this is driving growth everywhere. Equally important is the benefit to the criminal of accessing the data; for example breaches of financial services or retailer payment systems are more commonly reported than those of medical records. Additionally, one needs to consider that threat scenarios vary for different industries: While it is more classic cybercrime in the financial services industry, manufacturing is more confronted with cyber espionage – and critical infrastructure industries like energy or aviation need to protect against terrorist attacks.
4What should companies be doing to be prepared?
Firms can no longer rely on existing corporate risk management approaches or their IT department’s capabilities; they must implement more far-reaching measures. An overarching Cyber Risk Management Strategy is the starting point, considering cyber risk appetite, high-value asset exposure and protection. Strong capabilities; policy and standards, organization and governance, procedures and technology and infrastructure are required in balance but sit beneath this. Finally, independent compliance and audit are critical to ensure the strategy is being executed.
5How has consumerization of corporate technology including bring your own device (BYOD), impacted overall risk and security?
For sure the proliferation of technologies and the sheer volume of transactions and data exchanged increases the opportunities for Cyber crime. But, they also drive enormous opportunity for businesses. For us the key is to balance the risk and reward, exactly as an enterprise would do for any other business decision. We expect to see a lot more proactive risk decision making and organizations thinking harder about how to mitigate or offset the risks.
6Who in the organization is raising this risk?
Leaders in information security are now recognizing that effective information security is an existential issue that involves the whole company, and it needs to be established as a permanent item on the board’s agenda. Even five years ago shareholders accepted that information security was a technology issue handled by the CIO or even a direct report. Today it demands the attention of the most senior executives.