More and more business valueand personal information worldwide are rapidly migrating into digital form on open and globally interconnected technology platforms. As that happens, the risks from cyberattacks become increasingly daunting. Criminals pursue financial gain through fraud and identity theft; competitors steal intellectual property or disrupt business to grab advantage; “hacktivists” pierce online firewalls to make political statements.
Research McKinsey conducted in partnership with the World Economic Forum suggests that companies are struggling with their capabilities in cyberrisk management. As highly visible breaches occur with growing regularity, most technology executives believe that they are losing ground to attackers. Organizations large and small lack the facts to make effective decisions, and traditional “protect the perimeter” technology strategies are proving insufficient. Most companies also have difficulty quantifying the impact of risks and mitigation plans. Much of the damage results from an inadequate response to a breach rather than the breach itself.
Complicating matters further for executives, mitigating the effect of attacks often requires making complicated trade-offs between reducing risk and keeping pace with business demands (see sidebar “Seizing the initiative on cybersecurity: A top-team checklist”). Only a few CEOs realize that the real cost of cybercrime stems from delayed or lost technological innovation—problems resulting in part from how thoroughly companies are screening technology investments for their potential impact on the cyberrisk profile.
These findings emerged from interviews with more than 200 chief information officers, chief information-security officers, regulators, policy makers, technology vendors, law-enforcement officials, and other kinds of practitioners in seven sectors across the Americas, Europe, the Middle East and Africa, and Asia.1 We also drew on a separate McKinsey executive survey on cyberrisk, supplementing this research with an analysis of McKinsey Global Institute (MGI) data on the value-creation potential of innovative technologies. It showed that the economic costs of cybercrimes could run into the trillions of dollars.
Areas of business concern
From our interviews and survey research, four areas of concern emerged on how executives perceive cyberrisks, their business impact, and the readiness of companies to respond:
More than half of all respondents, and 70 percent of executives from financial institutions, believe that cybersecurity is a strategic risk for their companies. European companies are slightly more concerned than American ones. Notably, some executives think internal threats (from employees) are as big a risk as external attacks.
Equally worrisome, a large majority of executives believe that attackers will continue to increase their lead over corporate defenses. Sixty percent of the executives interviewed think the sophistication or pace of attacks will increase somewhat more quickly than the ability of institutions to defend themselves. Product companies, such as high-tech firms, are most concerned about industrial espionage. The leaking of proprietary knowledge about production processes may be more damaging than leaks of product specifications, given the pervasiveness of “teardown” techniques and the legal protections afforded to product designs. Service companies are more concerned about the loss and release of identifiable information on customers and about service disruptions.
According to McKinsey’s ongoing cyberrisk-maturity survey research, large companies reported cross-sector gaps in their risk-management capabilities. Ninety percent of those most recently surveyed had “nascent” or “developing” ones. Only 5 percent were rated “mature” overall across the practice areas studied (exhibit). Notably, we found no correlation between spending levels and risk-management maturity. Some companies spend little but do a comparatively good job of making risk-management decisions. Others spend vigorously, but without much sophistication. Even the largest firms had substantial room for improvement. In finance, for instance, senior nontechnical executives struggled to incorporate cyberrisk management into discussions on enterprise risk management and often couldn’t make informed decisions, because they lacked data.
All Information Management articles are archived after 7 days. REGISTER NOW for unlimited access to all recently archived articles, as well as thousands of searchable stories. Registered Members also gain access to:
- Full access to information-management.com including all searchable archived content
- Exclusive E-Newsletters delivering the latest headlines to your inbox
- Access to White Papers, Web Seminars, and Blog Discussions
- Discounts to upcoming conferences & events
- Uninterrupted access to all sponsored content, and MORE!