Cyberattacks – malicious, criminal acts conducted over the internet – are becoming more prevalent than ever. It’s no wonder then, that a recent study finds 62% of boards of directors identify cybersecurity and IT risk as their primary concern, second only behind reputational risk.
You don’t have to look very far to find recent examples of massive cyberattacks. Take the 38 million customer accounts breached in the October 2013 attack on Adobe Systems, Inc. Or the 4.6 million names and phone numbers taken in the January 2014 attack on the mobile messaging service Snapchat. Or the frenzy – and public relations nightmare – created when data from 40 million Target holiday shoppers made its way into the hands of hackers last December.
Cyberattacks are not only becoming more frequent, but also increasingly costly for the companies that are attacked. One 2013 study places the average cost to U.S. companies at $11.6 million per year. That’s a 78% increase since 2009.
But most companies are generally still unprepared for the accelerating cyberthreat.
At a June meeting of the American Enterprise Institute, FCC Chairman Tom Wheeler discussed his agency’s role in addressing network security in the internet age. Tom suggests the communications industry must create a new paradigm for cyber readiness. Furthermore, he asserts, cyberreadiness must begin with businesses first understanding how easily cyberthreats can cross corporate and national boundaries, and then addressing the threats through assessments and plans to mitigate risk.
However, these recommendations fall short.
The real challenge lies in figuring out how to create the corporate behavior changes required to protect our critical infrastructure. Even in his remarks, Tom acknowledges “solving the technological challenges of cybersecurity is, for all its difficulties, the easy part. The hard part is changing behavior.”
Today’s corporations were designed for performance. Flawless execution – not disruption and innovation – is the goal around which traditional business models and management tools are built. These “tried and true” processes actually threaten companies’ ability to be agile enough to adapt to a rapidly-changing, increasingly-uncertain, and progressively more-interconnected environment in which new risks – ones we can’t even yet imagine – are popping up everywhere we turn.
To truly address change behaviors, cybersecurity’s new paradigm should include several key components:
1. There must be a common lexicon. Each of today’s industries -- and even countries –has its own vocabulary. An exchange of insights of ideas requires a means of overcoming the communication barriers that likely exist between participants as well as the technology platforms they utilize. A lexicon provides the means, but its creation requires negotiation among multiple and often conflicting points of view to create an equitable solution. Without a translator to enable all parties to speak the same language, forging a shared commitment to an environment capable of adapting to future cyberrisks will be nearly impossible.
2. Industry must get involved. The government – the FCC and other agencies – can regulate to some degree, but every business must do its part; businesses must work together, across their industries, and bridge across industries. Like a kindergarten classroom where one child who breaks the hand washing rule exposes all the other children to germs, today’s highly interconnected world means businesses must be vigilant in keeping their own systems secure.
3. When anticipating threats, businesses must look perpendicularly – or even orthogonally – to get a new angle on the future. The risks that lie directly ahead are the easy ones to see and avoid. It’s the ones that come from unexpected places that can do the most damage. Consider the various layers of exposure – for example: societal, economic, technological, regulatory, political, moral, etc. – and how they may interact with or oppose one another to create alternate futures.
In summary, cybersecurity in our hyperconnected society is not only about reinforcing technological safeguards and barriers; it is also about opening and maintaining a dialogue amongst industry leaders. As Tom Wheeler said, technology is the easy part. It’s the 80/20 rule at play –human nature compels us to take easy road and dedicate 80% of our energy to 20% of the problem – in this case, technology.
The real challenge is for companies to reallocate their energy and devote 80% effort to the difficult problems. This means asking the “what ifs” and turning leaders’ heads sideways to envision alternate futures; it means committing to tackle the tough questions and changing corporate behavior so the organization can be agile enough to adapt to whatever comes its way.
As Chairman of the Board for Toffler Associates, Deborah brings skills and insights honed over 30 years working with some of the top minds and leaders of governments and Fortune 100 companies. Deborah has an MBA from Webster University and a BS in Electrical Engineering from the University of New Mexico, and has completed extensive continuing education with Harvard Business School and Wharton Business School. She is also a member of the National Academies of Science, Engineering and Medicine.
Toffler Associates is a future-focused strategic advisory firm. Our Future Proof® business consulting approach helps global leaders understand how future shifts impact current decisions so they can take advantage of opportunity, manage risk, and create future value.
4301 Wilson Blvd, Suite 410 Arlington, VA 22203
We are ready to ask and address your toughest questions.+1 703-674-5480
Our perspective will challenge you to think differently.SUBSCRIBE TO OUR BLOG