One of the most common questions I’m asked as a CEO is what keeps me up at night. In my role, that covers a lot of internal and external risk factors, but the one issue that always leaves my sleepless is the threat of cyber-attack. I know that many of my counterparts in financial services and across industries feel the same way.
How could you not when cyber espionage, hacking and denial of service attacks have become increasingly common and the theft of intellectual property or confidential customer information can cause significant reputational damage and send your stock into freefall? A recent study by McAfee tried to put size and dimension around the problem, finding that cybercrime is responsible for $300 billion to $1 trillion in annual economic loses worldwide – or as much a 1.4% of global GDP.
Whether it’s the U.S. Presidential election, the front page of major newspapers or in corporate boardrooms of all sizes, cyber security is an ever-present topic these days. It remains one of the top concerns cited in our annual Systemic Risk Barometer, which measures risk trends impacting the financial industry. The spate of high-profile attacks, along with greater recognition that everyone is potentially vulnerable, has spurred businesses to take action to better defend against this threat.
Over most of the past decade, we’ve seen a running battle of measures and countermeasures as corporations dedicate greater resources to fend off attackers. More recently, the battlefield has shifted from an emphasis on perimeter defenses designed to keep the bad guys out to a more data-centric approach that uses real-time tools and assessments to monitor systems and flag possible threats. As resource constraints and new technologies have ushered in this more automated "behavioral intelligence" approach, companies are better prepared to identify a potential attack at its earliest stages and minimize operational disruptions and the loss of proprietary information.
Of course, the old cliché that the best defense is a good offense also applies here, which is why many firms have focused on internal training and awareness programs to educate and empower employees to join the fight. Helping workers understand and look out for a seemingly innocent PDF file that is actually harboring a malicious virus or a phishing link that can make your data vulnerable have added an important, effective and inexpensive layer of defense to many cyber programs.
While all these strategies have aided in the fight against cyber crime, the single most important development in recent years has been the growing acceptance of collaboration and information sharing of cyber threat data among companies within and across sectors. Oftentimes, a single attack can be created and launched against multiple institutions – a relatively efficient and cost effective strategy. But as firms share information in real-time, they change the economics of the battle because the criminals can no longer use the same attack multiple times. In addition, by quickly sharing details of a cyber attack with the wider community, everyone has gained an advantage in protecting themselves – essentially creating the cyber equivalent of "herd immunity" in which the largest possible population is inoculated against the most virulent threats.
We’ve made great progress over time hardening defenses against cyber attack, but the threat will remain among the most dangerous risks facing just about all industries for some time. The recent move toward greater collaboration and information sharing are steps in the right direction, but as we know from the near daily disclosures of cyber breaches, we have a long journey ahead of us filled with many twists and turns. In time, we can hopefully get to a place where the overnight hours are a bit more restful.
This opinion piece by Mike Bodson originally appeared in Linkedin Pulse.