Senior Partner & Managing Director
It’s a quiet Sunday night. Suddenly, the phone rings. It’s your CIO. You’ve been hacked. The hackers are threatening to destroy your company’s entire data warehouse in 24 hours unless you pay a $5 million ransom. Your move.
Not every cyberattack is this dramatic. Often, companies don’t realize for six months or more that they’ve been compromised. But whether the attack is quickly apparent or reveals itself over time, you need to be ready.
If you’re like most executives, you already know cybersecurity is a major threat. In recent polls, US business leaders rank cybersecurity as their number one risk. Governments are concerned as well: the European Union’s new General Data Protection Regulation requires companies to maintain an appropriate level of cybersecurity or be prepared to pay a fine of up to 4% of their global revenue.
But are all companies approaching security the right way? The ongoing stream of high-profile breaches suggests that many aren’t: Incidents of stolen intellectual property, lost customer data, crippling ransomware, and other forms of cybercrime are on the rise. These attacks are inhibiting organizations’ strategic objectives, hurting their bottom lines—and costing some executives their jobs. A recent study estimates that the global cost of cybercrime could exceed $6 trillion annually by 2021.
Why are so many firms still struggling with cybersecurity? One reason is that as businesses grow increasingly virtual, they have more territory to defend. But the biggest reason may be that many companies have misunderstood the challenge.
Technology vendors are often quick to characterize cybersecurity as a matter of strengthening network and system security. Although that is indeed an important aspect, a BCG study of 50 recent major data breaches found that only 28% were caused by inadequate security technology. In the vast majority of cases—72%—the breach was the result of an organizational failure, a process failure, or employee negligence.
Our findings suggest that cybersecurity is a concern not only for the IT function but also for the entire company. That's why we take a holistic approach to cybersecurity and tailor our response to your industry and your organization.
Cybersecurity and business strategy should be linked at every level, from the board and C-suite to individual people, processes, and systems.
The first stage of BCG’s approach to cybersecurity is designed to assess your company’s current level of cybersecurity. We work with you to gain a strategic view of your company’s cyber-resilience, drawing from a toolbox that might include one or more of the following options:
In this tabletop exercise, company leaders will have to respond in real time to a simulated cyberattack based on real-world cases. After the two-hour immersive simulation, your board members and senior executives will have a good idea of how prepared your organization is to defend itself against a surprise security breach.
We conduct an online survey of your employees. BCG developed this survey jointly with MIT to measure employee perceptions and behaviors across 12 cultural domains that affect cybersecurity. The results will enable you to compare security practices and attitudes across business units in your company with those of industry peers and other industries.
This scenario-based workshop will help your team better understand your firm’s cyber-risk profile. By understanding the potential business impact of each risk scenario, you will be better positioned to set your priorities and plan a cost-effective strategy for mitigating your most significant risks.
This comprehensive healthcheck of your cybersecurity capabilities will give you a detailed view of your cyber-strengths, weaknesses, and emerging threats, and recommend initiatives you might undertake to address the most significant gaps. This complete cyber checkup will help you enhance your cyber-risk registry in a way that ensures not only that you’re covering all the right bases but also that you are making the right security investments. By the end of this exercise, you will know which of the most important security-related capabilities your organization possesses, which it lacks, and what your next steps should be.
The second stage of the process depends entirely on the gaps uncovered in our initial engagement. Using the risk registry developed in the assessment stage, BCG will work with you to design a program tailored to your vulnerabilities. Our recommendations might range from educating the board, the c-suite, and senior management to ensuring supply chain security. If you have an upcoming event with security implications, such as a merger or any other major corporate transaction, we can help you through that process as well.
Over the past two years, BCG has helped many organizations better secure themselves against cyber-threats. Recent engagements have included
BCG has a deep bench of cybersecurity experts. Our cybersecurity experts are quoted frequently in leading business publications and are invited to speak on security issues at conferences all over the world.
In addition to our consulting engagements, we keep up with the latest thinking on cyber-risk through a number of relationships with many other recognized cyber-security experts on both an individual and an institutional level. These peer organizations include the MIT Sloan Interdisciplinary Consortium for Improving Critical Infrastructure Cybersecurity; the Financial Services Roundtable, an industry association representing the largest financial institutions; and The Geneva Association, the leading think tank of the global insurance industry. We also maintain a close working relationship with INTERPOL.
Since 2016, BCG and the World Economic Forum have collaborated on a series of seminars, research initiatives, and playbooks intended to advance global cyber-resilience in both the private and public sectors. Our contributions have included creating model principles and governance policies for boards and creating a cybersecurity playbook for public private partnerships.