Data breaches and cybersecurity now top C-Suite concerns
(Editor’s note: The report "2017 Views from the C-Suite” published on Tuesday. Authors Paul A. Laudicina and Eric R. Peterson explore the key findings and the significance of each here).
Among the interesting results from our 2017 Views from the C-Suite survey of global executives is the fact that, of all the myriad challenges facing businesses worldwide, executives are most concerned about cybersecurity. An overwhelming 85 percent of told us they believe that cyberattacks will become more frequent and costly over the next 12 months.
This is unsurprising given the high-profile cyberattacks that companies in various sectors have suffered in recent months and years. And cyber insecurity is likely to grow in the coming years as more devices are connected to the Internet and more businesses run the risk of getting caught in the crossfire of escalating cyber warfare between governments.
For instance, WannaCry—the world’s biggest ransomware cyberattack that took place two months ago—has recently been linked to North Korean state hackers, who were in turn using software tools stolen from the National Security Agency.
Almost half (up from 40 percent last year) of the executives we surveyed cite cybersecurity as one of the top challenges to their business operations in the next 12 months. Their biggest focus is on weak cyber defenses, both in terms of hardware and software, and they have good reason to be concerned.
The scope of the WannaCry attack, which successfully took advantage of weaknesses in the 12-year-old Windows XP operating system, underscores widespread institutional underinvestment in cybersecurity and the vulnerabilities implicit in legacy systems. Many firms still using outdated software or hardware must now wonder whether the costs of upgrading old and vulnerable systems are less than the reputational and operational risks of a serious cyberattack.
Executives are also focused on the people who manage technology, in addition to the technology itself. Specifically, global executives point to recruiting and retaining qualified IT talent as a major problem.
Indeed, a recent survey found that the second hardest roles for global corporations to fill in 2017 were IT staff. Among executives based in the Americas and those in the industry sector, the effort to recruit and retain talent is seen as an even more significant challenge than having weak cyber defense systems. Every year in the United States, for instance, approximately 40,000 jobs for information security analysts go unfilled.
Another related challenge is broader—namely, overall employee cybersecurity training and awareness. Cybersecurity experts consistently point to lack of employee training as a key cyber vulnerability. Employees can inadvertently provide hackers with access to company hardware and software by failing to adequately secure their devices or by clicking on malicious links. Identifying the problem is the first step toward fixing it.
From our perspective, more can and should be done to address growing cybersecurity risks. Executives can carry out periodic cyber risk assessments to identify potential threats and vulnerabilities, as well as maintain robust employee cybersecurity training programs to reduce the risk of breakdowns from employees.
Given the ever-changing nature of cybersecurity threats, executives also need to engage in cyber scenario planning to develop adaptable crisis response strategies to mitigate the negative consequences of attacks.
There can be no doubt that in this increasingly connected world, cybersecurity will remain a Sisyphean task. Yet executives who recognize the challenge and invest and prepare accordingly will put themselves in a better position to weather future attacks.