There was a time when companies sought to avoid a security breach because of the impact it would have on their reputation. Executives often would rely on the security organization to keep the firm “off the front page.” However, as attack vectors have evolved, corporations are now recognizing that the financial impact of cyber breaches are not just the potential lost revenue from reputational damage, but also the lower share prices and market valuations.
It is critical that executives embrace the importance of cybersecurity and treat it as a business issue and not delegate responsibility for safeguarding information to technologists. Business leaders need to understand the threats faced in cyberspace and recognize that it is no longer a matter of whether a corporation will experience a cyber-attack, but when one will occur.
This year’s cyber breaches impacting hundreds of millions of people in the United States are another reminder of the growing need to ensure that cybersecurity is “baked in” to everything we do in today’s digital environment.
As attacks evolve, so do impacts
Cybersecurity is now a board-level issue with senior executives being held accountable to protect corporate and customer data and information assets. And, similar to requirements under Sarbanes-Oxley for a CEO attest to internal controls over financial reporting, we are on the brink of seeing requirements for attesting to the effectiveness of cybersecurity controls and processes.
In The Cyber-Value Connection, CGI’s UK team working with Oxford Economics found that a typical severe cybersecurity breach represents a permanent cost of 1.8% of company value1. The study found that following an attack, a company’s share price fell by 7 percentage points, compared to the average share price movement in the sector. The situation then worsened when it was announced that the breach had led to legal proceedings against the firm. This saw the share value fall 1% further.
What executives can do
Security awareness efforts need to be conducted on an ongoing basis to keep cybersecurity top of mind and make employees aware of what it is required to protect data and information assets. Another study by CGI in the UK notes that boards are in fact taking cybersecurity more seriously, with planned increases in scrutiny, investment and external advice.2
Recent incidents also highlight the fact that the cyber-attack surface is changing, and that perimeter defenses no longer are adequate. Today, the application development process needs to “bake in” a security assessment to ensure there are no vulnerabilities that can be exploited.
A key action companies can take is to develop a strong cyber governance structure. I invite you to read a previous blog about this as a key characteristic as digital organizations shift to a cyber-aware culture.
1 The model was used to analyze publicly listed companies that experienced a cyber breach. Value was measured relative to a control group of peer companies.