Patrick Rinski
Cybersecurity Expert Associate Partner
McKinsey & Company
/
Expert Contributor

Cybersecurity a Core Component in the Strategy of Organizations

By Patrick Rinski | Wed, 12/15/2021 - 11:07

With digitalization accelerating due to the pandemic, the market is even more vulnerable to virtual attacks. This is mainly due to the adoption of work from home modalities on a large scale and the increased use of online tools and services that offer new and more opportunities for these types of attacks.

The question for companies is not whether these attacks will occur and how to avoid them. The real question is, when will they come? Is the organization prepared to detect it, stop it and mitigate the effects and return to normal operations as soon as possible? The key is in prevention.

Lack of preparation for this crisis can have several consequences. According to Kaspersky, the loss that this risk can represent for organizations is around US$700,000 (per incident), considering ransom payments, damage to image and impact on reputation. However, leaders rarely spend the time necessary to address this issue.

In a survey conducted by McKinsey Cyber Solutions, 55 leading companies were asked how much time the Board of Directors spends annually on cybersecurity. Thirty-one percent responded 30 to 60 minutes, 18 percent responded 60 to 120 minutes and 13 percent responded that it is not discussed. An interesting reflection is whether this same group of leaders would discuss revenue projections or growth strategies for just a few minutes a year. Probably not.

Then, how can one understand that this is as central to the strategy of organizations as growth and financial results? There is no one-size-fits-all solution. It is necessary to cover a series of measures and best practices aligned with the business and operational objectives.

A Cultural Problem: Cybersecurity Goes Far Beyond IT

First, you need to adjust your mindset in relation to the topic. Generally, the response to attacks will not be satisfactory if IT is left alone. They play a key role in resolution, but the consequences go beyond immediate damage: there will be reputational, legal and operational problems.

Cyber-risk is a complex, nonfinancial problem that has the power to erode a company's financial results and reputation. Therefore, integrating cybersecurity measures into daily business processes and their key decisions must be a strategic priority that is served at the highest level of the organization.

Involve Executives and Advisers in Crisis Prevention and Management

With that said, it is important to keep in mind that the board of directors and executive leadership must have a deep understanding of cybersecurity risks, their potential impact and how others in their position have addressed this issue. Your responsibility is to make sure the executive team has a plan and is preparing the entire organization for an attack and to stay updated on these issues at least quarterly, with additional awareness and education sessions as needed.

Better practices:

To react to or even anticipate cyber-criminals adequately, it will be necessary to know and execute efforts that have been successful in other organizations. Some of these are:

  • Strengthen cybersecurity for key assets: Applying the same cybersecurity controls to all assets represents significant effort and expense. Vital assets must be protected more strongly than less important ones.
  • Involve all employees: Every employee has a role to play in protecting the company through practices such as sharing confidential information through secure channels as trusted tools for file-sharing. Cybersecurity exercises and other efforts will help you raise awareness about the risks that you can create and how to mitigate them.
  • Use "active defenses:" Leading companies use advanced technologies to identify signals that may indicate an imminent attack, such as a login attempt and network traffic from unusual locations.

Cybersecurity today is also an essential part of company strategy, affecting data protection, compliance, potential litigation and customer perception of security. In this way, it should be part of all business plans with frequent discussions. There is no time to lose; preventive work, with the participation of leadership and all employees, must start today. We are already late.

 

Photo by:   Patrick Rinski