Cyber threats have climbed to third place among the risks considered most likely by business leaders, according to the Global Risks Report published by the World Economic Forum in Davos in 2018. In 2019, the Forum recognised cybercrime as a major risk. Though executive committees are becoming more aware of what cyberattacks represent for their companies, they are struggling to develop a real cyber strategy that is effective and agile. With the next crisis after this pandemic likely to take place in cyberspace, it is more essential than ever for business leaders to see cyber as a strategic lever that will ensure growth and a long-term future for their companies.
This is the dynamic yet delicate context in which we support businesses in the design of new cyber strategies, providing senior executives with tools enabling them to better assess how far their organisations are exposed to risks and able to respond to an incident and helping them find new levers to improve performance.
Cybersecurity must be an integral part of a company’s strategy. Its importance has become crucial due to the multidimensional impact a cyberattack can have. Many examples illustrate the hackers’ firepower. After Saint-Gobain, which saw its turnover collapse by over €200 million following the NotPetya attack, and Equifax, which lost its customers’ personal data and consequently 35% of its market value in a few days, Altran fell victim to a ransomware attack in 2019 that cost it an estimated €20 million. The high-end lingerie group Lise Charmel is in receivership after a fearsome cyberattack. SMEs, particularly fragile and exposed, represent choice prey for cybercriminals: Clermont Pièces, a specialist in parts for white goods based in Clermont-Ferrand (Puy-de-Dôme), was forced to close after being targeted by a cyberattack in 2017. Strategic European companies such as Elexon, a British intermediary between electricity generators and energy users, have also been affected. In the age of 24-hour news, a company’s image can be tarnished quickly and completely. “It takes 20 years to build a reputation and less than five minutes to ruin it. Let’s think about that and you’ll see your business differently,” Warren Buffet reminds us.
It’s not just about computer systems being blocked – a company’s entire activity can be brought to a standstill, leading to heavy financial losses and damage to the company’s image and reputation. In an era of total transparency and constant justification, companies are equally obliged to respond to financial and societal pressure and to obey stricter regulatory requirements, such as those of the GDPR and the European Network and Information Security (NIS) directive, to name but two. They must also protect intangible assets such as their data, using effective, relevant cybersecurity tools: risk analysis, encryption, strong authentication etc. To make this possible, senior executives are responsible for understanding the nature and value of what they must protect, knowing the types of risks and threats their company faces – because every company is unique – and finally putting in place an effective cyber protection strategy with the support of the whole staff.
Executive committee members are overloaded with information. They need to take decisions and issue judgements quickly and accurately under the greatest of pressure. This means we must supply vital tools and easy-to-understand indicators to CIOs, who can then use this key information to draw their colleagues’ attention to the evaluation of their risks, their assets and thus their need to become cyber-resilient.
A dynamic mapping of cyber risks is an inescapable element in defining the protective actions to be deployed immediately, together with the adaptations to be put in place as the risks and your situation evolve. “The current crisis has redesigned our models of how companies work. This means that all the risk analyses, especially cyber, need to be revised, because many companies have introduced working from home, opening up their systems without the necessary preparation. This has led to weaknesses that cybercriminals will not hesitate to exploit,” explains Thierry Delville, Cyber Intelligence Partner at PwC.
Companies have entered a new digital dynamic, accelerated by the health crisis. This is an opportunity for us all to build a resilient digital future. Companies need to take this change of mindset on board. The current situation shows us we can do it. To ensure their resilience, companies must develop a solid methodology based on a global risk analysis. With proven skills in developing these frameworks, we want to act as a facilitator for companies wishing to develop their capacity for cyber resilience. This holistic approach will give decision-makers the information they need to make enlightened decisions on the basis of simple, intuitive, clear indicators, promoting investment choices and resource allocation. Cyber must be seen as an investment rather than a cost. “Putting cybersecurity tools in place can prevent heavy financial losses, data theft etc., which affect a company’s image and reputation in the eyes of customers, investors… Cyber-resilience is thus a valuable, exploitable tool in the service of trust. This is another point that we emphasise in M&A (mergers and acquisitions) transactions, and which will certainly be seen in future transactions following the Covid-19 crisis,” adds Thierry Delville.
But companies are entering a period that will mean economic crisis for some and economic uncertainty for others. After decades of almost continuous growth, the world is likely to experience a historic recession in 2020 and the worst economic slump since 1929… In this context, there is every chance that cyber investments will fall and that budget cuts will have an impact on the sector, or that many projects will be slowed down at the very least. Yet it is vital to keep in mind the strategic dimension of digital security for business, which could otherwise become an equivalent of the much-feared Covid second wave!
“To govern is to foresee,” wrote Émile de Girardin, a French journalist and politician. Cyber risk is universal and can affect all the functions of a company. The role of the executive committee is to anticipate risk in order to eliminate it or, failing that, continue to operate in failsafe mode if a crisis occurs. The CIO thus needs the executive committee to listen, as well as the administration and finance department, which has the resources needed to develop the company’s cybersecurity. With a high level of data intelligence, the finance department can now carry out a variety of simulations using predictive analysis. This is why we recommend establishing a direct line between the C-suite and the IT department. This is the optimum structure for all companies that make digital a strategic priority. What remains are the corporate culture and staff awareness – all employees must be trained, informed and drilled in cyber risk. Everyone has a key role to play.
It may be useful at this point to remember that “To live, you need to maintain all your vital functions; to die, only one needs to be destroyed!”, as pointed out by Bruno Luirard, founding partner and chairman of La Voix des Hommes.
Losses due to cybercrime are set to reach $6,000 billion a year by 2021. Business leaders clearly need to see cyber as a strategic pillar for their company to protect it against threats, but also to consider and manage its growth and its long-term future by promoting this dimension in the eyes of its partners, employees, customers and investors, who are keen to ensure the companies they place their trust in are responsible.