Most companies survive most cyberattacks. For example, two American tech companies lost more than $100 million to a crafty cybercriminal using forged credentials, but this financial attack never threatened the existence of the two businesses. A German steel mill lost control of a blast furnace—and the ability to protect workers—to hackers who gained remote access and overrode safety controls, but again, this company survived too.
Companies must take steps to address many types of risk—financial, operational, reputational, and others. But as business becomes ever more reliant on technology, addressing catastrophic risk—losing all data, production systems, or intellectual property—must also be on every executive’s agenda.
When hackers targeted Code Spaces, a software collaboration platform, they deleted all of the company’s data and its backups. Overnight, Code Spaces shut down. Existential threats are not always sudden, however. Over the course of ten years, hackers siphoned the intellectual property of a North American telecommunications giant: Nortel Networks. Nortel no longer exists, and although it has not been proven in court, many speculate that its stolen IP helped the company’s foreign rivals get a competitive edge.
The attacks on Code Spaces and Nortel show the kind of damage that dedicated hackers can cause when focused on a specific target. This summer, WannaCry and NotPetya demonstrated that even relatively unsophisticated, untargeted attacks can cause considerable, widespread damage simply because minimum defense mechanisms, such as well-executed patch management strategies, were not universally in place. Although a failure in patch management may sound like technobabble for the IT department to sort out, it is not a challenge that can be solved solely by using the most sophisticated technology or by employing the most talented IT and security professionals.
Making an organization cyberresilient requires close cooperation between business and technology leaders. Has your organization identified its digital crown jewels—the data, systems, or intellectual property that must be guarded most closely? This question must be answered before the IT teams can adequately prioritize what to patch. Likewise, has your organization calculated how much cyberrisk it can afford? If not, the IT and security teams are working in the dark.
Many companies fell victim to WannaCry and NotPetya because business leaders were inadequately trained about the risks posed by unpatched systems. These business leaders did not prioritize software maintenance, and their systems remained unpatched many months after the threat was known to security teams. Does your organization have a culture where business leaders work with security leaders to balance operational and security objectives?
Effective cybersecurity must be aligned with your business strategy, and cyberrisk must be an integral part of your corporate risk management strategy. (See Cybersecurity Meets IT Risk Management: A Corporate Immune and Defense System.) This cyberrisk strategy must be guided by an engaged board of directors. (See Advancing Cyber Resilience: Principles and Tools for Boards.) And the strategy must be implemented and managed by executives that understand the risks. (See “Building a Cyberresilient Organization.”)
Does your company have a well-formed cybersecurity strategy? If your organization’s existence depended on it, could executives answer the following questions?
Governance, Policies, and Processes
External Participation and Internal Collaboration
If you don’t know the answers, it is time to get to work.
This article was originally published by CBI.
ABOUT BOSTON CONSULTING GROUP
Boston Consulting Group partners with leaders in business and society to tackle their most important challenges and capture their greatest opportunities. BCG was the pioneer in business strategy when it was founded in 1963. Today, we work closely with clients to embrace a transformational approach aimed at benefiting all stakeholders—empowering organizations to grow, build sustainable competitive advantage, and drive positive societal impact.
Our diverse, global teams bring deep industry and functional expertise and a range of perspectives that question the status quo and spark change. BCG delivers solutions through leading-edge management consulting, technology and design, and corporate and digital ventures. We work in a uniquely collaborative model across the firm and throughout all levels of the client organization, fueled by the goal of helping our clients thrive and enabling them to make the world a better place.
© Boston Consulting Group 2023. All rights reserved.
For information or permission to reprint, please contact BCG at firstname.lastname@example.org. To find the latest BCG content and register to receive e-alerts on this topic or others, please visit bcg.com. Follow Boston Consulting Group on Facebook and X (formerly Twitter).