5 economic principles of cyber security

In the past 20 years, the nature of corporate asset value has
changed significantly. Eighty per cent of the value of Fortune 500
companies now consists of intellectual property (IP) and other
intangibles. With this rapidly expanding “digitization” of assets
comes a corresponding digitization of corporate risk. As a result,
cybersecurity now tops the list of issues corporate boards must
face.
Recent research shows that corporations worldwide are losing
hundreds of billions of dollars annually from the loss of IP,
trading algorithms, destroyed or altered financial and consumer
data, diminished reputations, as well as risking increased
regulatory and legal exposure. And, the situation is getting much
worse.
Cybersystems, which were designed without security in mind,
are becoming even more insecure with the explosion of mobile
devices and the networked connection of almost every physical
asset from security cameras to refrigerators – the “Internet of
Things”. In addition, the attack community is vastly improving its
techniques. The sort of sophisticated cyberattacks we saw only
between nations a few years ago are now being practiced by
common criminals. Or, as in the case of Sony, attacks are being
launched by nation states against commercial entities for
political or economic purposes.
Finally, the economics of cybersecurity favours the attackers.
Cyberattacks are relatively cheap and easy to access. The
attackers’ business plans are expansive with extremely generous
profit margins. Meanwhile, defence tends to be a generation
behind the attackers, it’s hard to show return on investment for
attacks that are prevented and law enforcement is almost non-
existent – we successfully prosecute less than 2% of
cybercriminals.
This little-understood imbalance of the economic incentives is
exacerbated by the fact that many of the technologies and
business practices that have recently driven corporate growth,
innovation and profitability also undermine cybersecurity.
Technologies such as VOIP or cloud computing bring
tremendous cost efficiencies, but dramatically complicate
security. Efficient, even necessary, business practices such as
the use of long supply chains and BYOD (bring your own device)
are also economically attractive but extremely problematic from
a security perspective.
Corporate boards are faced with the conundrum of needing to
use technology to grow and maintain their enterprises without
risking the corporate crown jewels or hard-won public faith in the
bargain.
The National Association of Corporate Directors’ Cyber Security
Handbook identified five core principles for corporate boards to
enhance their cyber-risk management.
1. Understand that cybersecurity is an enterprise-
wide risk management issue . Thinking of
cybersecurity as an IT issue to be addressed
simply with technical solutions is an inherently
flawed strategy. The single biggest vulnerability in
cybersystems is people – insiders. Cybersecurity
costs are managed most efficiently when
integrated into core business decisions such as
product launches, M&A and marketing strategies.
Moreover, in an integrated world, organizations
must take into account the risk created by their
vendors, suppliers and customers as their
weaknesses can be exploited to the detriment of
the home system.
2. Directors need to understand the legal implications
of cyber-risk . The legal situation with respect to
cybersecurity is unsettled and quickly evolving.
There is no one standard that applies, especially
for organizations that do business in multiple
jurisdictions. It is critical that organizations
systematically track the evolving laws and
regulations in their markets.
3. Boards need adequate access to cybersecurity
expertise . Although cybersecurity issues are
becoming as central to business decisions as legal
and financial considerations, most boards lack the
needed expertise to evaluate cyber-risk. Many
boards are now recruiting cyber professionals for
board seats to assist in analysing and judging staff
reports. At a minimum, boards should regularly
make adequate time for cybersecurity at board
meetings as part of the audit or similar committee
reports.
4. Directors need to set an expectation that
management have an enterprise-wide cyber-risk
management framework in place . At a base level,
each organization ought to have an enterprise-wide
cyber-risk team led by a senior official with cross-
departmental authority that meets regularly, has a
separate budget, creates an organization-wide plan
and exercises it.
5. Based on the plan, management needs to have a
method to assess the damage of a cyber-event .
They need to identify which risks can be avoided,
mitigated, accepted or transferred through
insurance.