When global leaders met recently for the World Economic Forum’s annual summit in Davos, Switzerland, there was much talk regarding the threats to globalization from political changes in Western countries.
But another kind of change that’s often closer to home is threats to our everyday lives and businesses from cyber-attacks, a hot topic in last year’s U.S. presidential election. Experts aired their concerns at the summit, and based on my observations, here’s what came up most often:
Worries about increased hacking of political systems as well as enterprises and organizations.
Issues of privacy, bullying and trolling as well as the need for a global internet charter.
Agreement that the Fourth Industrial Revolution, the theme of Davos 2016, is disrupting everything from computing to medicine to manufacturing at a speed that was inconceivable until a few years back.
Huge opportunities for businesses today in which Internet of Things (IoT) and internet services have created a hyper-connected world that will have a huge impact on every aspect of our lives. This will be a boon for productivity, but it will come with a big price if we can’t build effective cybersecurity.
Cyber-security is at the top of the list of business risks and not just for the financial sector, participants said. New technology is making things a lot easier for hackers – witness the recent weaponization of webcams and other IoT devices used to bring down portions of the internet.
Meanwhile, the economics of cyber-attacks are skewing favorably to attackers. Exploit kits and other tools are easily acquired and can be reused against multiple targets while the likelihood of detection and punishment is low. All this means governments and businesses have to be more nimble than ever in dealing with threats.
When it comes to cyber-security, the Davos 2017 theme of “responsive and responsible leadership” doesn’t go far enough, because if you have to respond to a threat, by definition it has already become a problem for your organization. In a cyber context, we should be managing – and preventing – threats before they can do damage. Industry insiders made the following three points in relation to the theme of the summit.
1. Be proactive, prevent threats and prepare yourself. It’s worth pointing out that the majority of cyber-attacks can be prevented. Individuals and organizations have to do what they can to manage risk. It’s important to implement a comprehensive strategy for threat reduction that covers people, process and technology. This means everything from practicing good online and digital hygiene, to updating operating system software and outdated antivirus programs, to ensuring that security is part of the design of hardware such as IoT devices.
Organizations also need to consider proactively finding weaknesses in their systems by hiring experts – including hackers. From bug bounty programs, penetration testing and phishing exercises, it’s critical to understand areas that are vulnerable to attack both on a technical and human level.
2. Educate your people. With cyber-attacks, people remain one of the weakest links. More than 70% of breaches exploit non-technical vulnerabilities – for example, attacks that trick users into revealing legitimate credentials. We need to insist on relentless education to change user behavior.
Defending against cyber-crime is a new challenge for many boards, Davos attendees said. However, ultimate responsibility rests on the shoulders of boards and senior executives. Thus, boards must devote considerable effort to increase their knowledge and learn to ask the right questions.
Boards must understand, assess, and quantify cyber risks that their organization faces today or in the future. Boards need to know how technology changes cyber risk exposure.
To help leaders get a handle on this, the World Economic Forum published a document during Davos entitled “Advancing Cyber Resilience: Principles and Tools for Boards,” put together by a working group including many stakeholders (and yours truly). It’s worth a read for any cyber-security preparations.
3. Promote cyber resilience While prevention is what we strive for, as working group member Walter Bohmayr of Boston Consulting Group pointed out at Davos 2017, “In today’s world, an organization has to accept that it will be breached. That’s unfortunately the new normal.”
We live in an environment where cyber breaches are inevitable so cyber resilience is the only way forward. Cyber resilience in an organization must extend beyond the technical IT domain to the domains of human resources, corporate culture, and business processes.
Cyber leadership means not only protecting businesses and customers but also helping to improve the resilience of the overall ecosystem we operate in, including subsidiaries, subcontractors, vendors, lawyers, accountants, etc. Implementing resilience effectively can enhance business reputation and brand image. Resilience can also be a competitive advantage, a factor for valuation in M&A situations, and a key enabler of flexible, interconnected value chains. Furthermore, resilience will determine the speed at which organizations can benefit from technology innovation.
As some summit participants pointed out, better information sharing is critical. Unfortunately, many companies are hesitant about sharing due to legal restrictions. They need a safe harbor where they can share cyber threat information without worrying about possible civil and criminal liability after disclosing sensitive personal or business information.
There were a few other important points that were raised at Davos. Participants pointed out that the loss of revenue, the cost of retrieving lost data, getting back online, the loss of reputation, and legal consequences due to breaches are becoming increasingly complex every day. However, the security of interconnected devices and systems communicating and operating autonomously over networks is increasing significantly faster.
It’s time for corporate directors, government entities and industry groups to band together in a multistakeholder dialogue to collectively fight the ever-growing threat of cyber breaches. The threats posed by hackers, weaponized IoT devices and other forms of cyber-attack are not science fiction – they’re happening now. We need to come together, share our experiences and best practices and ensure the internet remains the incredibly transformative resource that it is today.