Around the world, governments have designated this October as “cybersecurity awareness” month, seeking to increase national resilience by raising national consciousness. This effort comes on the heels of a number of government initiatives that aim to strengthen cyber resilience of critical infrastructures, such as the U.S. Presidential Executive Order or the European Commission’s Network and Information Security Directive. But should businesses care about this nebulous and seemingly all-encompassing issue beyond legislative compliance? And, if so, what should they do about it?
The answer is an unequivocal yes. No matter what their size, sector, or location, most companies rely on the Internet, which facilitates $10 trillion in online transactions every year and delivers an estimated 20 percent of revenue. The world has never before been so vastly interconnected. And while this has enabled new business models and processes, it has also exposed us to the risk of cyber-attack by criminals, competitors, and other malicious actors on an unprecedented scale.
While cyber-attack figures vary—in part because businesses often fail to report attacks in an effort to limit reputational damage, which can result from newspaper headlines waxing lyrical about a company’s inability to protect its vital assets—they are staggering. A recent Ponemon Institute survey found that 50 percent of CEOs say their companies experience an attempted attack daily or hourly. UK government figures show that 93 percent of large corporations and 76 percent of small businesses reported a cybersecurity breach in the past year. Increasingly, the question is no longer if a company will suffer an attack but when.
The costs of attacks are even more difficult to estimate. The UK government estimates that each attack could cost a large company up to $400,000, a figure that considers neither the aforementioned reputational damage nor the potential long-term impact of particular losses. Attackers could be interested in a number of different assets that a business seeks to protect, including: financial data; customer or employee personal information; company strategies; and, as demonstrated dramatically in 2009, bid information. In one of the most widely reported cyber-attacks on a publically traded company, Chinese hackers in 2009 allegedly breached Coca-Cola’s IT systems during a failed $2.4 billion takeover attempt of the China Huiyuan Juice Group. That deal would have been the largest foreign acquisition of a Chinese company—but it never went through.
No wonder governments are taking notice. But businesses, big and small, should sit up and pay heed as well. With such high stakes, most would agree that information security deserves full attention at the highest levels of any company. Unfortunately, however, cybersecurity often only becomes an issue after an attack occurs. Even then, frequently, businesses leaders and CIOs are unsure about what to do, as managing not only their assets and systems but also the people that deal with those systems is complex.
At Microsoft, we believe that a thoughtful, risk-based approach is critical to protecting an organization—whether it’s small or large, private or public. To this end, we have developed a set of foundational principles that guide our thinking and that we believe can also be effective for other groups going forward:
- Risk-based. Assess risk through the prism of threat, vulnerability, and consequence, and then manage risk through mitigations, controls, and similar measures.
- Outcome-focused. Focus on the desired end-state rather than prescribing the means to achieve it, and measure progress towards that end state.
- Prioritized. Adopt a graduated approach to criticality, recognizing that disruption or failure are not equal among critical assets or across critical sectors.
- Practicable. Optimize for adoption by the largest possible group of critical assets and implementation across the broadest range of critical sectors.
- Respectful of privacy and civil liberties. Include protections for privacy and civil liberties.