03 May Corporate Responsibility Requires More Attention to Cybersecurity
The consequences of a cyberattack on a business of any size can be rather dire. The question for businesses is not really whether they will be attacked, but rather how and when. Considering that the incidents of known cyberattacks increased 38% from 2014 to 2015, that the cost of an attack to an average American firm is $15.4 million per year, and that the average direct cost of a security breach for a small business is $38,000, it seems it would be a priority of company leadership to manage this risk. However, recent surveys indicate a troubling lack of attention to cybersecurity among business leaders. Two-thirds of CIOs, CISOs and IT directors say senior leaders in their organizations don’t view cybersecurity as a strategic priority. Further, 40% of corporate executives feel they have no responsibility for cybersecurity breaches, 43% of board directors say they don’t get enough information about cybersecurity and IT risk, and 80% of small businesses don’t have a cyberattack response plan. This lack of attention to cyberthreats could be dismissed as bad management or non-strategic if the consequences were localized to the business, but the fallout of a cybersecurity incident has the potential to wreak havoc well beyond the company’s walls.
What Is a Company’s Cyber-Responsibility?
Most business leaders would probably tell you they take corporate responsibility seriously. But, what does that mean for cybersecurity? The definition of “corporate responsibility,” found in the Financial Times, suggests that, “Corporations have a responsibility to those groups and individuals that they can affect, i.e., its stakeholders, and to society at large. Stakeholders are usually defined as customers, suppliers, employees, communities and shareholders or other financiers.” So if a cyberattack can threaten customers (through a data breach), suppliers (hackers often target one business to get to their business partners’ systems), employees (through stolen data or a company’s financial stress), and financiers (if the company loses business and associated revenue); then cybersecurity has to be a component of corporate responsibility. And, from a societal perspective, companies should not only embrace policies and a culture to mitigate risk for their own business interests, but also share information to help other businesses and the government defend against attacks. (See blog post: Better Cybersecurity: Working Together and Sharing Information.)
The Scope of the Problem and Small Firms
The prioritization of cybersecurity among businesses is lacking in both large and small firms. We are sympathetic to the plight of small firms who have fewer resources to devote to cyberdefenses, but their negligence is particularly troubling because the risk is so high. Consider this:
- The majority of all targeted cyberattacks in 2014 were directed at small businesses.
- A survey by the National Small Business Association revealed that half of small and mid-sized businesses reported being targets of cyberattacks.
- It’s been estimated that some 60 percent of small businesses go out of business within 6 months of a cyberattack.
- Ninety to 95% of all hacking begins with a phishing email, and approximately 75% of all spear-phishing scams in June 2015 were targeted at small businesses.
- Moreover, losses from phishing scams increased by 50% from 2012 to 2014.
- According to a survey of firms with less than 50 employees, only 29% know the steps needed to improve cybersecurity, and even fewer have written policies to deal with a data breach.
- A survey of 400 small firms found that 27% have no cybersecurity protocols at all.
Making Cybersecurity a Company Priority
So how does a company, in particular a small or medium-sized business, show appropriate responsibility related to cybersecurity.
Culture: Cybersecurity should be part of the company’s culture, from top to bottom, with shared responsibility and accountability across the organization (not just the IT department). Protection of a business from cyberattack is in the interest of all employees, regardless of their level, and it should be a group endeavor.
Protocols: Companies should have written protocols for securing information, monitoring networks, and responding to potential or real breaches. (See blog post: Implement Best Cybersecurity Practices: Avoid FTC Enforcement.)
Education: Employees are key to security and must be trained to comply with company protocols and understand the tactics of cybercriminals so they can do their part to bolster the company’s defenses. Training should include every employee, at every level.