Despite all the warnings, cybercrime has long been seen as a pure IT issue rather than a business risk. It took the effects of the NotPetya attack in 2017 to change this view, as several large companies reported high losses. According to reports, the attack cost transport giants Maersk and FedEx, advertising company WPP and household goods company Reckitt Benckiser several hundred million euros – making NotPetya the most expensive cyberattack in history to date.
Obstacle on the way to “Industry 4.0”
Almost overnight, a hypothetical problem turned into a recognized business risk. This realization, coupled with an increased awareness of data protection issues, is leading to a reassessment of cybersecurity management and responsibilities for this task – with top corporate management levels needing to address this challenge. Only by taking an integrated approach to business strategy and cybersecurity strategy can management identify risks at an early stage and make available the necessary resources to ensure rapid, innovative and secure growth of the company.
Cybersecurity risks have been included in a list of issues related to digital transformation and the early stages of data and automation-driven “Industry 4.0”. It is obvious that a lack of IT security is an immense obstacle to successful participation in Industry 4.0 – as can be measured in actual financial losses. So it is not surprising that addressing cybersecurity is now at the top of the to-do list at many management levels. The way in which this issue is integrated into the decision-making process of a company’s management provides insight into the maturity level of a company in dealing with cyberrisks.
Cybersecurity in businesses: a competitive advantage
The frequency of serious attacks makes cybersecurity a factor that exerts enormous pressure even on established, successful and experienced companies. Pursuing an innovative cybersecurity culture enables enterprises not only to protect themselves more effectively, but also to act faster and more flexibly than their competitors. To be successful, companies need to be able to manage change and even use it to their advantage.
A must: the CISO
Companies with an established and strong cybersecurity usually cannot do without a Chief Information Security Officer (CISO), who is a member of the executive management and reports to the risk management unit. The CISO plays a key role when it comes to linking business objectives with protection against increasingly complex and unpredictable cybersecurity risks. He has both the necessary technical expertise and management skills to solve potential cyberproblems.
The onus is on management
The view that CEOs and executives should be held personally responsible for cyberattacks is not a new phenomenon. Just think of the consequences of the attacks on US retail chain Target in 2013 and on Sony the following year. After the attack on Equifax in 2017, voices calling for managers to be held personally responsible seem to have grown louder again. This is a sign of the changing culture of accountability because now senior management levels have to explain problems that may have occurred several levels below their position. Executive management increasingly needs to demonstrate that they have made investments and created decision-making structures that enable professionals in the various departments to manage data in a way that mitigates risk and develops appropriate response systems in the event of data breaches or attacks.