Idea in Brief
The Challenge
Despite the billions spent on cybersecurity, the damage done by breaches keeps growing—to a large extent because companies don’t recognize or understand their critical cyberrisks.
The Old Approach
Too many firms focus only on technological vulnerabilities. Responsibility for cybersecurity then defaults to IT specialists, yielding an ill-prioritized list of possible attacks. Tech jargon dominates discussions of risk, and senior leaders and boards can’t participate meaningfully in them.
A Better Way
A more fruitful approach is to identify your critical business activities, the risks to them, the systems supporting them, those systems’ vulnerabilities, and potential attackers. Leaders and staff throughout the firm can participate in this process, and overall responsibility for cybersecurity shifts to senior executives and boards.
Over the past decade the costs and consequences of cyberbreaches have grown alarmingly. The total financial and economic losses from the 2017 WannaCry attack, for instance, were estimated to reach $8 billion. In 2018 Marriott discovered that a breach of its Starwood subsidiary’s reservation system had potentially exposed the personal and credit-card information of 500 million guests. Hackers seem to keep getting more effective. But in our experience as consultants to clients across the globe, we’ve found another reason that companies are so susceptible to threats from hacking: They don’t know or understand their critical cyberrisks, because they’re too focused on their technological vulnerabilities.