A robust cybersecurity strategy is no longer a cost of doing business. It’s a determining factor of whether a company will stay in business.
When organizations think about cybersecurity they tend to think of two things: cyber hackers and data breaches.
And it’s true, cyber attackers are becoming more sophisticated, using more advanced phishing and malware techniques to find weak points in organizations large and small, and in public and private sectors alike.
The true cost of a cyberattack – in terms of lost productivity and reputational equity – can be eyewatering. According to some estimates, the global cost of cybersecurity breaches will reach US$6 trillion by 2021.1
The challenge for any leadership team staring down the cyber threat is clear. While companies must be on their guard 24 hours a day, 365 days a year, an attacker only needs to be lucky one time.
Despite knowing this, 89 percent of organizations admit they don’t have a cybersecurity function in place that meets their needs. What’s more, just 36 percent of their boards have sufficient cybersecurity knowledge to effectively manage the risks.
It can be tempting to think that cybersecurity is a problem for your company’s chief information security officer. But the more our businesses digitize and automate operations, the more open we are to attack.
We see it all too often: the only time a CISO fronts the board is after a cybersecurity breach. This disconnect presents a very real and present danger. EY’s latest Global Information Security Survey (GISS) found that just 36 percent of companies are confident that the board and executive management team has a comprehensive understanding of information security to fully evaluate cyber risks and preventive measures. The biggest risk organizations face is the trusted insider, or a third party they use in their supply chain. Despite this, just 34 percent of respondents to EY’s latest GISS identified this as their biggest cyber risk. As we conduct more and more business online, our interconnected digital ecosystems are only as strong as the weakest link.
"A proactive approach to cybersecurity, led by the board, which embeds the right systems and technologies will not only respond to cyberattacks, but also enable enterprise growth."
The latest figures from the Office of the Australian Information Commissioner are instructive. Australian organizations reported 245 data breaches between July and September 2018. Of those, 20 percent occurred when personal information was sent to the wrong recipient, by email, mail, fax or other means. A further 20 percent of breaches were attributed to phishing.
The solution? A “when, not if” proactive approach to cybersecurity, led by the board, which embeds the right systems and technologies to not only respond to attacks, but also to enable enterprise growth. At EY, we call this approach ‘trust by design’. This is not about investing in technology, but about investing in trust. Ultimately security builds customer loyalty, and any future growth strategy is dependent on customer loyalty and trust.
Protection: How can I protect my organization – and its most valuable assets – in the face of increasing cybersecurity attacks? Consider not only the obvious cybersecurity weaknesses, but your regulatory responsibilities.
Optimization: What cybersecurity activities could we automate or undertake more cost effectively, and how do we look beyond our biggest risks?
Growth: How can we design and build secure new channels and differentiate around security and privacy for growth?
Four in 10 organizations currently say that the person with ultimate responsibility for cybersecurity is a member of the board or executive management. As security evolves as a key enabler of growth, we think this proportion is likely to increase.
A robust cybersecurity strategy is no longer a cost of doing business. It’s a determining factor of whether a company will stay in business