5 Reasons Why Every Company Needs a Cybersecurity Strategy

It happened on Saturday, 14 November 2015: unknown hackers accessed the app store database of VTech, a global supplier of electronic learning products with headquarters in Hong Kong. The hackers captured a significant amount of user profile data of children and their parents, as BBC News reported. The profile data included name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history.

Cybersecurity | Strategic Thinking-500x647Why do I tell you this? I believe your company could be next, if you don’t have a comprehensive cybersecurity strategy. I am aware that most medium-sized and large companies have an IT department and a set of IT security processes. However, a comprehensive cybersecurity strategy should go beyond that. Here are the five main reasons why I think, every company should have a comprehensive cybersecurity strategy for preventing and mitigating cyber attacks.

1. A growing part of business is happening via the Internet

More and more business is happening in cyberspace. Every sector and every business of any size is affected by digitization. Businesses and customers have moved at high speed to the Internet. There are over 3.2 billion Internet users today, about 40 percent of the global population, according to Internet Live Stats. More and more business transactions are done via mobile devices, like smartphones and tablets. Out of 3.65 billion mobile users, 1.9 billion are using smartphones (source: Statista). Accordingly, the value of global e-commerce via mobile devices is growing rapidly – in the second quarter of 2014 it amounted to 130 billion dollars (source: Statista).

As e-commerce is further growing at a rapid pace, the importance of making sure e-commerce is secure is increasing. The relevance of cybersecurity is growing even further, if you think of emerging business trends like the smart connected home and e-health.

2. Number and intensity of cyber attacks are increasing

In parallel to the growing number of Internet users and e-commerce transactions, number and intensity of cyber attacks have increased as well. There are no reliable, comprehensive data. However, data from surveys confirm this statement. In a survey conducted in 2014 by ISACA, the Information Systems Audit and Control Association, 77 percent of respondents said that cyber attacks increased between 2013 and 2014, and 82 percent consider it likely or very likely that their enterprise will be attacked in 2015.

According to the same study, cyber threats in 2014 originated mainly from cyber criminals (46 percent), non-malicious insiders (41 percent), hackers (40 percent) and malicious insiders (29 percent).

The cost of these attacks for the affected companies is substantial. A study by the Ponemon Institute gives an average cost of 7.7 million dollar per organization per year,
with a range from 0.31 million dollar to 65 million dollar.

3. Customer trust is based on the integrity of their data

Every business is built on the trust of its customers. In the case of business done via the Internet, this trust is basically built on the integrity of customer data and how well these data are protected by companies. Put yourself in the shoes of a customer: would you rather buy from a company that was recently hacked, like VTech, or from one that hasn’t been hacked?

In view of emerging business scenarios around the Internet of Things, where you have lots of connected devices in your household and your workplace, having an effective cybersecurity strategy in place is a pre-condition for keeping or building the required customer trust, no matter if it is B2C or B2B.

4. Cybersecurity is more than a task for the IT department

In a number of companies, cybersecurity is treated mainly as a task for the IT department. Through technical measures, IT professionals are expected to ensure that the digital business of their companies are protected from cyber attacks.

However, this approach is fundamentally flawed. Leaving it to the IT department to sort out cyber threats is not enough. Cybersecurity is a challenge for the boardroom and not just the IT room.

Cybersecurity affects the whole company and should be treated accordingly.

5. Employees could either be a security risk or an asset

Cybersecurity is as much an issue of personnel as it is an IT topic.

Many cybersecurity risks are created or increased by inattentive employees. Take for example the loss of mobile devices, which constitutes a major security risk, as data found on those devices could provide access to sensitive company data. In the ISACA survey already mentioned, 83 percent of companies provide their employees with mobile devices, and 91 percent of these companies reported a loss of mobile devices in 2014.

This example shows that the behavior of employees is a major security factor that needs to be to be considered for a comprehensive cybersecurity strategy. In such a strategy, awareness building, user training and incentives for employees to behave responsibly when dealing with digital data and communication devices should be included.

There should also be procedures and safeguards against the effects of the occasional employee, who creates deliberately or inadvertently a cybersecurity threat. In practice, you will not be able to achieve 100 percent secure behavior by all employees all of the time. Thus, you need to have safeguards and procedures for mitigating any risk.

Conclusion

In the area of cybersecurity, complacency is dangerous, and a certain level of paranoia healthy. It is important to have a holistic view on cybersecurity and to develop a comprehensive cybersecurity strategy. It should be a topic handled on boardroom level, and not just in the IT department. This will require executives to get a better understanding of IT systems and of IT professionals in the organization to get a better understanding of business processes.

Checklist for Subscribers of Strategic Business Insights

If you are already a subscriber of Strategic Business Insights (SBI) you can access the “Cybersecurity Strategy Checklist”, which complements the article – enter the access code sent in SBI issue 47 when prompted. If you are no subscriber yet, consider to subscribe for free via the SBI page.