On a cool spring morning in April 2019 in Washington D.C., the world’s biggest bankers gathered in the American capital to face lawmakers keen to ask some tough questions and seek reassurance from an industry that had spent the last decade rebuilding its reputation. These top bankers lined up to depose before the House Financial Services Committee hearing on banking regulations for an intense grilling on the state of their industry and weathered multiple confrontations with agitated congressmen and women keen to hold these bank chiefs accountable.
It had been a decade since the banking industry and indeed global economy had been knocked to its knees by a withering financial meltdown that had felled storied banks, caused economies to gasp for air and seen thousands lose their jobs and livelihood. Eager to avoid an encore, American lawmakers called in the banking world’s biggest chiefs including those from JP Morgan Chase, Goldman Sachs, Bank of America, and State Street Corp for some answers.
In this increasingly heated deposition, these chief executives publicly admitted what many corporate chiefs had been discussing in increasingly loud whispers. What clearly came out from this is the fact that cyber risk is now the number one worry for Wall Street. As companies found their information assets under assault—from within and outside their network—they spoke up about cybersecurity ratcheting up their list of priorities.
During my conversations with top CxOs and technology/security heads from around the world, chatter has increasingly and swiftly centred on the looming threat of cyberattack and the growing importance accorded to it by companies and their boards. I was recently speaking with the chief technology officer of one of the largest financial services companies and he mentioned that if my board member catches me alone in a lift and we have only thirty seconds to chat, the only question I would get asked: are we secure? That is how concerned the board is today about cybersecurity. I recently keynoted the internal event of a large global bank and the unanimous No.1 priority was “secure digital banking” and there were detailed deliberations on how cybersecurity will be key to the future of the banking industry. In India, too the Data Protection Act makes board members liable for customer data, only increasing their interest in the game.
Threats and incidents today aren’t the purview of a lone hacker with access to a company network and an axe to grind. Consider what happened to global shipping giant A.P. Møller-Maersk when it got entangled with a global geopolitical rift that brought its entire network down. It was only saved by a frantic search for a surviving domain controller in Ghana whose data was carried in an external hard drive to resuscitate the company’s network. The shipping giant wasn’t the only one to be felled by rampaging hackers. Large companies ranging from Marriott to Yahoo and eBay to Target have been the target of an increasingly sophisticated range of attacks. Yahoo, especially was devalued by $350 million during the buyout by Verizon post the hack.
These kinds of cyber threats aren’t one-off incidents any longer. As data and the Internet become the lifeblood of enterprises worldwide, their systems will only come under more sustained attacks from a variety of sources. A breach isn’t a question of some lines of code that need to be fixed—instead it could be an oil pipeline in the Persian Gulf shut down by a rogue element, a metro city plunged into darkness and chaos in peak hour or a bank and its network held hostage by a hacker demanding a fat ransom in bitcoins.
Security heads have plenty to worry about when it comes to the security of enterprise networks. The Cost of a Data Breach study by Ponemon recently revealed that the cost of a data breach has risen 12% over the past five years and it today costs $3.92 million on average. These rising expenses are representative of the multiyear financial impact of breaches, increased regulation and the complex process of resolving criminal attacks, the report stated. This report further revealed that malicious data breaches cost companies $4.45 million on average—over $1 million more than those originating from accidental causes such as system glitch and human error. The percentage of malicious or criminal attacks as the root cause of data breaches in the report crept up from 42% to 51% over the past six years of the study.
This begs the question: If enterprises are indeed getting the gist of why cybersecurity is so mission critical to an enterprise, why is it that there is continued hesitation on cybersecurity spends?
Cyberattacks are one of the top 10 global risks of highest concern for the next decade, according to the World Economic Forum Global Risks Report 2019, with data fraud and theft ranked fourth and cyberattacks fifth. Globally, their potential cost could be up to $90 trillion in net economic impact by 2030 if cybersecurity efforts do not keep pace with growing interconnectedness, according to the Atlantic Council and the Zurich Insurance Group, among others. With over 64 billion devices expected to be added to the global network of the Internet of Things, the source of these attacks could come from anywhere. It is critical for companies and their boards to be updated of these rapidly changing networks and be prepared to deal with any eventualities. To stay safe, the industry needs a platform which is enterprise-wide, real-time, unified and objective to measure and mitigate cyber-risks. Gartner too, in 2019, identified ‘Security Rating Services (SRS)’ as the Top 10 Security Projects for 2019.
For CEOs and information security leaders, this quote from former U.S. President John F. Kennedy, decades ago, sums up the attitude required in this age of a cyber threat explosion. “There are risks and costs to a program of action—but they are far less than the long range cost of comfortable inaction.”
Views are personal.
The author is co-founder & CEO, Lucideus.