The accepted wisdom in the cyber security field today is that there are two types of companies in the world: those that know they’ve been hacked, and those that don’t.
No enterprise is immune from cyber threats, and the list of big, scary data breaches continues to grow. The vast majority of companies in Europe (92 percent) have been hacked in the last five years, according to a recent survey by specialty insurer Lloyd’s of London. The average total cost of a breach is $4 million, according to a 2016 study by the Ponemon Institute.
Yet, categorized as risk to avoid rather than opportunity to pursue, cybersecurity has never been a terribly sexy topic in the C-suite. It’s an added expense—and one that slows down efforts to leap ahead technologically. The significant attention it receives tends to be of the negative variety when things go horribly wrong. Even as companies have embarked on their digital transformation efforts, security has remained an afterthought—tacked on after a big new investment in advanced analytics, cognitive systems, or Internet of Things (IoT) technology. Very soon, however, that reactive approach will seem antiquated.
A Coming Mind Shift
Spending on IT security has been increasing in the last two years, even as overall technology budgets have been decreasing, according to 2016 report by the SANS Institute. But it’s not just a lift in spending that’s called for, but also shift in thinking.
In today’s age of rapidly developing transformational technologies, keeping on top of emerging security and privacy threats is more challenging—and more critical—than ever before. As companies collaborate with a wider network of partners and meet new demands for 24/7 operations and greater transparency with customers, cyber security risks multiply. The scope, scale, and impact of cyber attacks will grow in concert with increasing digitization:
- 4.2 billion records were exposed in more than 4,000 known data breaches in 2016, according to Risk Based Security.
- Cyber insurance premiums could increase tenfold to $20 billion annually by 2025, according to Marsh & McLellan.
- The cost of data breaches will reach $2.1 trillion globally by 2019—nearly four times the estimated cost of breaches in 2015, according to Juniper Research.
- Cyber attacks could cost the world up to $90 trillion in net economic benefit by 2030 if cyber security doesn’t keep pace with growing interconnectedness, according to a study published by the Atlantic Council and the Zurich Insurance Group.
- Cyber risk is expanding beyond the virtual world to the physical one. Hackers used highly destructive malware to bring down three Ukranian power distribution companies in 2016, for example, cutting power to 80,000 people.
- The expanding universe of Internet of Things devices is particularly vulnerable to exploitation as companies may not update them after installation and many devices are not able to receive security update patches, according to AIG. In fact, an IoT hack took down Amazon, Twitter, Netflix, and other major sites in October 2016.
- Connected devices pose particular concern in healthcare, an industry that already faces 340 percent more cyberattacks than the average industry and that fails to monitor 75 percent of hospital network traffic, according to a report from Raytheon and WebSense Security Labs.
- Cyberattacks are one of the top ten global risks of highest concern for the next decade, right alongside such threats as water and food crises, natural catastrophes, social instability, and national governance failures, according to the World Economic Forum.
Just a third of companies today are sufficiently prepared to prevent a worst-case attack, according to Oliver Wyman and only a quarter currently treat cyber risk as a significant corporate risk. But as cyber risk expands and the attacks result not only in financial and reputational damage but also in physical destruction, danger, or loss of life, trust will become a competitive advantage. Therefore, those companies and organizations that want to dominate their markets will approach security as a strategic investment, proactively embedding cybersecurity strategy into business strategy.
As companies continue their digital transformations, they need to adopt more flexible and ubiquitous cyber defense measures to meet the more extreme threats they will face. Failing to do so risks unanticipated costs, operational shutdowns, reputational damage, and legal consequences.
A Zero-Trust Approach
Unfortunately, there is no off-the-shelf solution to manage the entirety of a company’s cyber risk. As companies continue to introduce more digital innovations, they must continuously adopt and adapt cyber security measures commensurate with the growing threats they’ll face.
In a global economy, security can only be as good as the regulations, compliance, and enforcement in the countries where an organization operates—and those vary wildly around the world. What’s more, even when a company’s leaders take a more proactive approach to investing in cyber security protection and response, its partners and suppliers may not. Nearly 80 percent of companies fail to assess their customers and suppliers for cyber risk, according to a survey by Marsh & McLellan. And hackers certainly will be proactive about finding the weakest link in a value chain. Meanwhile, as enterprises adopt a growing legion of internet-connected devices and sensors, cyber security risk will be distributed even more widely.
Organizations must evolve from the attitude that perimeter security, achievable by firewalls or anti-virus protection, is enough. As interconnectivity and interdependency increases so too will the adoption of zero-trust networks. The zero-trust approach questions the assumption that a company can be made safe and sound within the confines of its own “secure” corporate network. Instead, a zero-trust approach places controls around data assets themselves and creates increased visibility into how they are used across a digital business ecosystem.
A New Approach for a Networked World
But, as SAP CEO Bill McDermott wrote to customers in 2016, “Information security is a journey without a destination. The security threat in the enterprise is relentless and multiplying, and the attackers are getting more sophisticated.” A zero-trust network is not enough. When the question is not if, but when, a significant breach will occur, how a company manages this inevitability becomes critical.
The key is to develop a robust approach to measuring, controlling, and responding to cyber risk. We recommend a three-pronged strategy to manage the threats in the expanding enterprise ecosystem:
- Prevent. This aspect of cyber security strategy remains as important as ever, and companies must evolve their preventative strategies, from their security policies and educational approaches to the actual access controls they put in place.
- Detect. In an evolving cyber threat environment, there is no foolproof prevention approach. Selecting and deploying appropriate intrusion detection systems for the timely detection and notification of compromises is critical.
- React. Detection is useless without a response. Companies that approach cyber security as a competitive advantage will put incident response plans in place in much the same way they would plan for recovery from a natural disaster.
Building Trust, Not Walls
The Great Wall of China may have succeeded as an exercise in power or a feat of construction. But as a security strategy, it was a failure. Similarly a cyber security strategy focused on building strong enough borders around the company will fail. It’s impossible to keep all the bad guys out.
As more of a company’s data and its business processes become distributed, it’s cyber security strategy must become much more far-reaching. The good news is that even as digital technologies increase cyber security risk, they can also help mitigate it. Many cloud providers for example, are taking a more robust approach to security strategy that their customers might. New technologies like machine learning and Big Data analytics can strengthen security protections. Of course, the hackers can—and will—take advantage of these powerful technological advancements as well. Cyber risk experts will tell you the dark web is teeming with attack tools that enable hackers to take advantage of outdated security approaches and corporate vulnerabilities. They’ve been quick to take advantage of new automation tools in order to carry out more sophisticated and layered attacks on corporate and state assets.
Companies who embrace trust and security as competitive advantages will build security into their digital ecosystems at each layer:
- Secure Products: Incorporating security into all applications, ensuring the protection of content and transactions.
- Secure Operations: Investing in hardened systems, security patch management, security monitoring, end-to-end incident handling, and a comprehensive cloud operations security framework.
- Secure Company: Creating a security-educated and aware workforce, end-to-end physical security of assets, and a comprehensive business continuity framework.
Forward-looking companies will follow these principles not only within their own organizations but expect them from their network of partners, supplier, and customers. The hackers of today and the future aren’t working alone and neither should the companies they’re targeting.
The risk of full-blown cyber catastrophes is real. The WEF has warned that large-scale cyber attacks could cause significant economic damage, geopolitical tensions, or widespread loss of trust in the Internet.
A report from the Atlantic Council and Zurich Insurance Group found as soon as 2018, there could be damage from massive cyber attacks equivalent to 1.5 percent of global GDP that is “certain to drastically increase risks and drag down net profits for companies that are most exposed to cyber-attacks..” The worst case scenario could result in a state of perpetual cyber crime and cyber warfare, increasingly vulnerable critical infrastructure, and losses of $90 trillion globally, according to the report.
A collaborative network approach will be critical to combating such a persistent global threat with implications not just for corporate and personal data, but strategy, supply chains, products, and physical operations. Trust will be the most important currency in the digital future—one that companies will have to earn and work diligently to keep.
Justin Somaini heads the Global Security unit at SAP. Dan Wellers is the Digital Futures global lead and senior analyst at SAP Insights.