Cyberattacks – malicious, criminal acts conducted over the internet – are becoming more prevalent than ever. It’s no wonder then, that a recent study finds 62% of boards of directors identify cybersecurity and IT risk as their primary concern, second only behind reputational risk.
Cyberattacks on the Rise Yet Companies Still Unprepared
You don’t have to look very far to find recent examples of massive cyberattacks. Take the 38 million customer accounts breached in the October 2013 attack on Adobe Systems, Inc. Or the 4.6 million names and phone numbers taken in the January 2014 attack on the mobile messaging service Snapchat. Or the frenzy – and public relations nightmare – created when data from 40 million Target holiday shoppers made its way into the hands of hackers last December.
Cyberattacks are not only becoming more frequent, but also increasingly costly for the companies that are attacked. One 2013 study places the average cost to U.S. companies at $11.6 million per year. That’s a 78% increase since 2009.
But most companies are generally still unprepared for the accelerating cyberthreat.
FCC Recommendation for Cybersecurity – Is it Enough?
At a June meeting of the American Enterprise Institute, FCC Chairman Tom Wheeler discussed his agency’s role in addressing network security in the internet age. Tom suggests the communications industry must create a new paradigm for cyber readiness. Furthermore, he asserts, cyberreadiness must begin with businesses first understanding how easily cyberthreats can cross corporate and national boundaries, and then addressing the threats through assessments and plans to mitigate risk.
However, these recommendations fall short.
The Real Cybersecurity Challenge
The real challenge lies in figuring out how to create the corporate behavior changes required to protect our critical infrastructure. Even in his remarks, Tom acknowledges “solving the technological challenges of cybersecurity is, for all its difficulties, the easy part. The hard part is changing behavior.”
Today’s corporations were designed for performance. Flawless execution – not disruption and innovation – is the goal around which traditional business models and management tools are built. These “tried and true” processes actually threaten companies’ ability to be agile enough to adapt to a rapidly-changing, increasingly-uncertain, and progressively more-interconnected environment in which new risks – ones we can’t even yet imagine – are popping up everywhere we turn.
The New Cybersecurity Paradigm
To truly address change behaviors, cybersecurity’s new paradigm should include several key components:
1. There must be a common lexicon. Each of today’s industries -- and even countries –has its own vocabulary. An exchange of insights of ideas requires a means of overcoming the communication barriers that likely exist between participants as well as the technology platforms they utilize. A lexicon provides the means, but its creation requires negotiation among multiple and often conflicting points of view to create an equitable solution. Without a translator to enable all parties to speak the same language, forging a shared commitment to an environment capable of adapting to future cyberrisks will be nearly impossible.
2. Industry must get involved. The government – the FCC and other agencies – can regulate to some degree, but every business must do its part; businesses must work together, across their industries, and bridge across industries. Like a kindergarten classroom where one child who breaks the hand washing rule exposes all the other children to germs, today’s highly interconnected world means businesses must be vigilant in keeping their own systems secure.
3. When anticipating threats, businesses must look perpendicularly – or even orthogonally – to get a new angle on the future. The risks that lie directly ahead are the easy ones to see and avoid. It’s the ones that come from unexpected places that can do the most damage. Consider the various layers of exposure – for example: societal, economic, technological, regulatory, political, moral, etc. – and how they may interact with or oppose one another to create alternate futures.
Changing Behaviors to Enhance Cybersecurity
In summary, cybersecurity in our hyperconnected society is not only about reinforcing technological safeguards and barriers; it is also aboutopening and maintaining a dialogue amongst industry leaders. As Tom Wheeler said, technology is the easy part. It’s the 80/20 rule at play –human nature compels us to take easy road and dedicate 80% of our energy to 20% of the problem – in this case, technology.
The real challenge is for companies to reallocate their energy and devote 80% effort to the difficult problems. This means asking the “what ifs” and turning leaders’ heads sideways to envision alternate futures; it means committing to tackle the tough questions and changing corporate behavior so the organization can be agile enough to adapt to whatever comes its way.