Cybersecurity -- Your New Business Priority

September 2015Articles
    To cultivate innovation and accelerate growth in today’s interconnected marketplace, businesses are embracing new technology that demands on-site, mobile, and cloud-based data connectivity. While the use of such technology boosts efficiency and speeds up the rate of innovation, it inevitably puts companies at risk of suffering significant financial harm at the hands of cyber criminals. In the past, the usual suspect in the wake of a data breach was a malicious insider, a lost or stolen laptop or other mobile device, or an employee’s mistake. But in today’s world, it is becoming more common for cyberattacks to originate from external actors carrying out sophisticated cyberattacks that too often succeed in defrauding businesses of their competitive advantage. With headlines chockfull of stories on hackers breaching the defenses of high-profile companies like Apple, Sony, JPMorgan Chase, or Home Depot, it is not surprising that “cybersecurity” has necessarily become a top priority for business leaders working to manage risks, protect proprietary information, and promote innovation. But most experts agree that businesses need to be doing more to protect themselves from this growing threat. 

    The reality is, business leaders can no longer rely exclusively on their I.T. professionals to keep their networks, trade secrets, and e-mail communications safe from attack. Cybersecurity must become a top priority for board members and executives of companies big and small. Large companies are heeding this warning and increasing their investments in cybersecurity, but small-midsize companies are operating under the mistaken belief that their smaller size makes them a less-likely target. What is clear is that cybercriminals are driven by the value of a company’s data, and the ease at which they are able access it; not always by a company’s size or scope of operations. According to a 2014 Global Economic Crime Survey by PwC, almost two-thirds of all data breaches in 2013 were suffered by small and midsize businesses. It makes sense that small-midsize firms are often more attractive targets because they typically allocate less time and money to cybersecurity, even though their proprietary data can be just as valuable. This is especially true for small businesses acting as contractors, vendors, and business partners with larger companies, particularly when they are trusted with access to the networks and confidential information of their larger partners. 

    Despite their obvious attractiveness to hackers, smaller firms are reluctant to address this vulnerability. In fact, companies with annual revenues of less than $100 million actually cut their cybersecurity spending last year by 20%. Most business leaders are familiar with the risks associated with relying on a lackluster (or non-existent) cybersecurity program, but too many firms fail to take action until it’s too late. 

                                                         What are the stakes? 

    The costs of a cyberattack keeping business leaders (and their legal counsel) awake at night includes reputation damage, intellectual property loss, legal liability, and losing the confidence of shareholders/investors. These fears are not unfounded, as recent studies estimate the cost of cyberattacks on the global economy to be between $375 billion and $575 billion per year. In one year alone (2013), almost 10% of U.S. organizations suffered losses of $1 million or more as a result of a cyberattack, while 20% reported financial losses between $50,000 and $1 million due to lapses in cybersecurity. According to one 2015 data breach cost study, the average cost of a data breach to a U.S. organization is $6.5 million, or $217 per lost or stolen record. This cost can include forensic IT expenses, regulatory fines and legal penalties, credit monitoring and identity restoration costs, and other unavoidable crisis management expenditures. For example, in California (and 46 other states), the law requires companies to notify all individuals affected by a security breach, which forces businesses to incur substantial and unexpected costs to comply notification laws of multiple states. In the wake of such an attack, many smaller firms are left with no choice but to either endure a long road of economic and reputational damage control, or to shut down the business entirely. Astonishingly, one study cited by Congress found that more than half of small businesses are forced to close within 6 months after suffering a cyberattack. Clearly small-midsized businesses are in need of cost-effective solutions to bolster their cybersecurity protection. 

    Cybercrime slows the rate of innovation by reducing the rate of return to innovators and investors, and unfortunately, experts agree that the number of successful cyberattacks are expected to increase exponentially. It is no surprise that cybersecurity is considered the most serious economic and national security challenge facing the United States. Business leaders have a duty to understand and address this rapidly-evolving threat, and should implement specific governance reforms and updated risk-management procedures beyond their traditional compliance measures.