2016 was terrible for corporate victims of cyberattacks, with many large companies making headlines over reports of major breaches. According to the U.S. Department of Justice, Ransomware attacks quadrupled to 4,000 per day from 2015 to 2016.
Despite the evidence, most companies greatly understate the risk of a cyber incident, according to EY’s 19th Global Information Security Survey 2016-17. Of the 1,735 global executives, information security managers and IT leaders surveyed, only one in five (22%) fully consider information security in their strategy and planning.
This complacency makes little sense given the sharp uptick in hacking methods and sophistication. The average annual cost of cyberattacks to companies worldwide is pegged at more than $9.5 million by the Ponemon Institute. Aside from the financial losses, boards of directors should also deeply consider the reputational damage that comes from such attacks.
“If companies are not identifying, understanding and evaluating the impact of cyberattacks, the nature of the risk will remain unknown and understated, limiting the ability to respond in a timely manner,” said Vickie Papapetrou, director at EY’s EMEIA Cybersecurity Centre of Excellence.
Being unaware is no excuse for undervaluing the risk of a cyber breach.
But according to EY’s survey, almost one-third of respondents (32%) said a lack of executive awareness and support challenged the effectiveness of their cybersecurity planning and preparedness.
Among the other findings of the survey:
- Only 38% of respondents said their boards have enough information to evaluate cyber risks.
- Nine in 10 businesses (89%) fail to evaluate the financial impact of every data breach.
- Of the companies that had a cyber incident during the previous year, nearly half of respondents (49%) had no idea what financial damage it caused.
This leaves organizations deeply vulnerable at a time when the threat surface is enlarging. Nation states, hactivists, criminal organizations and malicious insiders are major perpetrators of most cyberattacks and crimes. Primary methods include malware, phishing and social engineering, web-based attacks, malicious code, botnets and stolen devices, according to Papapetrou.
“Ten years ago, a hacker was someone sitting in a basement having fun, but now nation-states and criminal organizations are recruiting and training smart people from universities, paying them large sums of money to join them in their malicious activities,” she said.
Not If But When
Rather than understate the risk of a cyberattack, businesses must “accept the reality” that they will be breached, Papapetrou said. To plan for this inevitability, companies must identify their most important information and where this data resides. They must then monitor access to this data across networks, systems and endpoint devices. Other security tips include the use of threat detection and tracking software, appropriate access levels and login criteria, and storing files in backup copies to continue operations in the event of a ransomware attack.
Continual and broad-based cyberthreat assessments have become a necessity. “The risks are not just within the walls of the organization anymore,” Papapetrou said. “Interdependencies with other businesses and third parties exist across the cyber ecosystem.”
No longer can organizations understate their risk of cyberattacks. Denial — the widespread thinking that bad things happen only to other companies — merely postpones the inevitable. But fully accepting the repercussions of a cyberattack is a great motivator for businesses to take action before it’s too late.
First Published at Forbes