Partner & Associate Director, Cybersecurity & IT Infrastructure
A Corporate Immune and Defense System
This report was originally published in 2014 and is periodically reviewed for continuing accuracy. In October 2018, the data in Exhibit 1 and the authors’ titles were updated.
For most forms of life, the threat of attack—from a predator, changing environmental conditions, lower forms of life (such as bacteria and viruses), or some other force—is ever present. Indeed, for many of the natural world’s inhabitants, the question is not if but rather when they will be subject to some form of attack—and how (or whether) they will respond and emerge from the experience.
Businesses, of course, face an analogous situation and must contend with their own potential threats. Most companies therefore make risk identification, assessment, and mitigation a high priority. Yet there is a specific type of threat today for which many companies, in our view, are significantly underprepared: the risk associated with IT and information management. As digitization’s role in companies’ operations continues to grow—according to Ben Hammersley, contributing editor at Wired UK magazine, “Cyberspace is becoming the dominant platform for life in the 21st century”—companies’ vulnerability to data theft, leakage of intellectual property, corporate sabotage, denial-of-service attacks, and the like is growing apace. The damage such events can pose to a company’s profits, reputation, brand, competitive position, and even viability is potentially vast. One technology company, for example, sustained material damage to its business as a result of extensive hacking of its systems. Another suffered considerable harm to its reputation after a breach compromised the security of its customers’ personal data.
In the natural world, a strong immune and defense capability is essential for survival (much as in human society, vaccines and health care systems are critical to protecting life). For today’s companies, the ability to safeguard IT systems and information may be equally vital. To properly arm themselves, companies must understand the IT and information-related risks they face and construct sufficiently robust protection systems—and they must do so with an eye toward controlling costs and minimizing any negative impact on the business. Of course, perfect security is beyond any company’s reach. The trick is to determine and provide the right amount of defense, at a reasonable cost, and to do so without significantly compromising the organization’s business practices or culture. Moreover, the company must strike this balance while understanding and managing the risks associated with security-related compromises. In our experience, few companies have so far managed to achieve this.
As a rule, the companies that are most at risk of an attack and its consequences are those in which information drives a large portion of value generation and passes through many interconnected systems. Industries with complex application and system landscapes are also at high risk, as are those that rely on complex or meshed networks. Companies in these categories include banks, automotive suppliers, and energy companies (which face a range of vulnerabilities along their entire value chain, including generation, distribution, and infrastructure).
Companies whose business is driven to a large degree by mobile transactions are also at particular risk. (In many Asian markets, for instance, mobile online transactions now exceed the number of transactions conducted through the traditional desktop platform.) For such companies, rapidly growing mobile transactions can translate into swelling revenues—as well as greater likelihood of a breach and data theft. It can also make them increasingly attractive targets for hackers and the like as these companies accumulate larger and more varied types of customer data.
In general, businesses that process large amounts of customer and financial information (credit card details, for example) likewise face an elevated risk, with small and medium-size firms especially vulnerable. Many of these smaller businesses lack the budget and skills necessary to properly safeguard their online or point-of-sales environments, for instance, making them popular targets.
As value creation becomes increasingly digitized across the corporate landscape, however, virtually all companies are becoming more vulnerable—and concerns are rising. (See Exhibit 1.) Health care companies, telecommunications businesses, media companies, public-service organizations, and industrial and consumer goods businesses rich in intellectual property are all increasingly likely targets that have much to lose if their IT systems and information are not sufficiently secure. (See The Trust Advantage: How to Win with Big Data, BCG Focus, November 2013.)
After all, the targets of hackers and data thieves are often not the systems themselves but rather the information they store and process. And the value of that information often lies in the eyes of the (illegitimate) beholder. Strategic plans and information related to a company’s market, production, and pricing strategies are obviously high-value assets that must be carefully protected. But other information, which the company might deem far less critical, could well be of utmost interest to competitors, criminals, nation-backed third parties, or the public. (A food services company, for example, might consider its customer orders to be of relatively little value to third parties and might not go to great lengths to protect that information; but if, say, one of the company’s customers happens to be a law enforcement agency, an atypically large order on a given day could signal to an interested outsider that the agency is planning a major operation.)
And the circle of organizations at risk continues to widen. IT security is quickly becoming a critical concern for companies that use computers not just to crunch numbers but to monitor, move, and control critical equipment, machines, and production lines. For such companies, compromised IT security of their cyberphysical systems can have severe operational and health, safety, and environmental implications. A slightly maladjusted welding robot, for example, could do considerable damage to a car’s stability—and its manufacturer’s reputation. The Stuxnet computer virus is another, still top-of-mind example of the potential risk at hand. So it is no surprise that such companies are focusing more and more on industrial IT security.
In short, the problem now spans businesses of all types. But it does not stop there. Governments are clearly vulnerable to IT and information security risk, and increasing numbers are taking defensive actions. The UK’s Centre for the Protection of National Infrastructure, the U.S. National Cybersecurity and Communications Integration Center, the Australian Signals Directorate, and Germany’s National Cyber Response Centre and National Cyber Security Council are entities that have been created specifically to focus on the problem.
A program intended to provide effective security for a company’s information and the technology used to store and process it must address a number of critical elements, including the following:
Such a program must also provide clarity and reasonable assurance regarding the reliability of controls and the validity of the assumptions underpinning the effort. The priority associated with each of these elements will vary depending on the type of company and industry.
To ensure that their security campaign is sufficiently robust, companies must view the effort through a number of lenses. Three of the most important are technology, cost, and the potential negative impact of risk and the measures taken to mitigate it.1 Getting the technology right entails, as a first step, understanding and quantifying the value of the risks that the company is trying to mitigate. Then the company should identify the technologies that are available for dealing with the risks of greatest concern: the mix of firewalls, intrusion detection and prevention systems, and data leakage protection that will be most effective. The company must also work to understand the use of these technologies in light of industry and national regulations—in some countries, for example, using technology to automatically identify and delete spam may violate constitutionally protected communications.
Cost is obviously another key consideration. Given that a totally secure environment is impossible to create, a company must determine the base level of security it needs—in other words, what is the maximum risk (reputational, operational, or financial, including the cost of remediation) that the company is willing to live with—and then gauge the marginal value of any additional security to be gained through further spending. The company can then decide what level of spending is optimal given its business strategy, tolerance for brand and operational risk, and other considerations. While this sounds like a reasonably straightforward assessment, it is not an easy one, and we find that most companies labor with it.
Finally, it is essential to take into account the potential negative impact on the business—including its culture, flexibility, ability to innovate, and speed of innovation—of both unmanaged risk and any risk-mitigation measures that are put in place. As with cost, this is ultimately a question of balance, and companies will have to identify their particular sweet spot. We have seen a number of companies struggle with this, including several resource and engineering companies that operate internationally. One of them, in an effort to minimize the risk of data theft and espionage, does not allow its employees to bring their laptop computers and mobile devices to countries it deems high risk. The logistical challenges that this policy can pose to employees are considerable. What, for example, should an employee do when his or her itinerary for a regional, multicountry business trip calls for a visit to a high-risk country at the midpoint? Leave all this equipment home, at the expense of efficiency throughout the trip? Or follow the somewhat questionable advice of the IT department and take two laptops on the trip but leave the one containing sensitive information at the hotel in the high-risk location?
Similarly, a large technology company takes a very rigorous approach to elevating its IT and information security. It does not allow its employees to store company data anywhere except on company-issued computers, and it does not enable wireless local-access networks within its offices. Further, the company does not allow visitors from satellite offices to bring their company-issued notebook computers into office headquarters—instead, visitors are given “empty” computers upon arrival. For employees, this makes the execution of standard work tasks, such as accessing presentations and answering e-mails, very challenging. Returning to the metaphor of the human immune system, this is the equivalent of an allergic or even an autoimmune reaction, in which the system attacks perfectly harmless external or internal elements, compromising the body’s overall ability to function properly.
Protection against leakage of intellectual property is a particular and rapidly growing concern for many companies and can force many difficult decisions. Should a company worried about leakage through employees’ outbound e-mails, for example, block all such transmissions or remove all attachments? Doing so would solve the immediate problem but could introduce new ones—for example, the risk of losing business when a contract is stripped from an e-mail and never reaches its intended recipient. This approach can also reduce efficiency and potentially spur employees to find alternative means of communication that the company cannot monitor. (Indeed, we have seen employees of larger companies resorting to external “freemail” accounts to get their work done after trying, unsuccessfully, to change company e-mail policies that they considered impractical.) Taking the opposite approach of allowing (but monitoring) all outbound communications also has trade-offs: the company’s open culture is maintained but the potential for leakage grows, necessitating investment in monitoring technology, a fast detect-and-response capability, and related staff.
These examples illustrate the types of decisions that companies will increasingly have to make. They also hint at the many complexities companies will face as they attempt to ensure security across their ecosystems—that is, the universe of organizations that they deal with in the course of operations. Note, too, that the trade-offs involved in these decisions are likely to be very different for business IT (where confidentiality is often paramount) and industrial IT (where availability is often the top priority).
Companies should aim, of course, to “do no harm” in their efforts to balance the efficacy of security measures against established norms. In cases where security measures do impinge on corporate culture and established ways of operating, companies should ensure that the necessary changes are actively managed.
There is no ex-ante, readily calculable return on investment for IT security—like homeowner’s insurance or a car with extra air bags, it is money spent today to mitigate the risk and potential cost and impact of events that may never materialize. Hence, IT security should be viewed as a necessary cost of doing business. It should also be viewed as a component of the company’s overall IT risk-management program, which, in turn, should be considered an integral part of overall corporate risk management. (See Exhibit 2.) Often, however, we find that companies do neither.
To put things in context, there are six broad categories of IT risk:
Organizations should strive to develop a unified, cohesive plan for addressing these risks. The first step is to identify the specific risks that the company faces in each of the six categories. The second step is to determine which of the four strategies for dealing with risk—avoidance, transfer, mitigation, or absorption—to apply to each specific risk and risk category and how best to handle any remaining risks (for example, by buying insurance against the financial impact of a given primary or residual risk). Then the company must decide how best to incorporate those strategies into its way of working.
In our work on IT and information security with companies in a wide range of industries, including banking, insurance, defense, aerospace, industrial goods, energy, raw materials, telecommunications, and logistics, we have identified a number of other actions that executives can take to improve their companies’ chances of success. They include the following:
Immune systems have evolved over millions of years and offer insights into what an effective corporate cybersecurity program should look like. For example, they identify what is “self” and what is not, recognizing an intruder, determining how to disable it, and continuing to learn as the intruder evolves. They bring the right resources (for example, an army of T cells) to the battle. Undoubtedly, there is much more to learn from these systems—and, given the increasing risk that companies face, an ever-greater urgency to do so.
No immune system (or cybersecurity effort) is 100 percent effective, however. While there are ways to tip the odds in your favor, most of us will come down with a sore throat eventually, no matter how cautious we are. Whether this causes only minor discomfort or has more severe consequences depends on whether you caught a cold or a full-blown flu—as well as on environmental conditions that you can influence, your degree of preparedness, the speed of your reaction, and the depth of your defenses. To understand where you stand, ask your physician for a health check. And consider having your company’s IT security checked at the same time.