“Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts… A graphic representation of data abstracted from banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding…” William Gibson, Neuromancer
In a demonstration of art’s ability to shape the world we live in, a visionary science fiction writer named William Gibson coined the term cyberspace in the early 1980s and a few years later illustrated his conceptof cyberspace in vivid detail via his ground-breaking novel Neuromancer. The sprawling, virtual realms Gibson imagined, and in which he set a thrilling pursuit between cyber criminals and corporate firewalls, were prescient of the very real cyber security landscape we face today.
Systemic risk and competitive advantages
The fundamental socio-economic changes imposed by our collective response to COVID-19 have provided the latest push towards an economic model featuring reduced reliance on physical proximity at the same time as dramatically increased reliance on IT infrastructure. This fundamental shift in how we live and how business is done goes hand in hand with socioeconomic disruptions which provide an opportunity for individual organizations to gain a competitive advantage via swift adaptation, but also systemic risk relating to widespread IT vulnerabilities. As Nicholas Davis and Algirde Pipikaite write for the World Economic Forum, a global cyberattack seems inevitable and it is possible to imagine such an event bringing about economic disruption similar to what we are experiencing with COVID-19.
The NetBlocks online tools estimates that the daily financial fallout from a global internet outage exceeds $50bn. Source
Just as a lack of preparedness – consider the global shortages of personal protective equipment – exacerbated the initial impact of COVID-19, the fallout from a globally relevant cyberattack will be a function of our level of preparedness.
A thriving community is one in which members go above and beyond what is formally required from a business perspective. We are proud to highlight that LHoFT member Hacknowledge has been at the forefront of providing free and timely updates on active threats to the community via its newsletter throughout the COVID-19 crisis.
In the following section, we will highlight concrete steps to be taken at an organizational level in order to increase cyber security preparedness globally.
Principles for preparedness
When it comes to cyber security in the current context, complacency is not an option and mere compliance is not good enough. Every business, every organization owes it to its clients and its partner organizations to be prepared for a surge in cybercrime that is already becoming tangible. How then to be prepared?
On a practical level, FEDIL in collaboration with securitymadein.lu have published a list of practical steps & reminders aimed at minimising risks associated with remote work.
As far as organisational preparedness is concerned, in an accompanying post to the WEF’s recently issued report on cyber security leadership principles, authors remind us that “there is no silver bullet”. Cyber-resilience is a function of organizational culture and processes as much as it is a matter of technology.
In concrete terms, the WEF report urges the following:
1. Foster a culture of cyber resilience – which requires top-level buy-in and proactive risk management on a continual basis;
2. Focus on protecting the organization’s critical assets and services – which implies efficient allocation of resources;
3. Balance risk-informed decisions during the crisis and beyond – while organisations were forced to take accelerated decisions with suboptimal risk assessment during the crisis, “they will need to reassess the digital dependencies and risks accrued to restore their risk profile to an acceptable level”;
4. Update and practice the organization’s response and business continuity plans as business transitions to the “new normal” – assumptions need to be challenged and processes reorganized accordingly;
5. Strengthen ecosystem-wide collaboration – organizations are reminded that information sharing is a vital prerequisite for the effective management of a crisis.
Against the backdrop of an overwhelming new reality, principles defined by the community have a way of becoming the norm rather than remaining an exception. Take for instance the rise of ESG criteria in the asset management industry: when the Principles for Responsible Investment were founded by Kofi Annan and a handful of investors in 2005, few outside observers could have imagined that the PRI would one day count more than 3000 signatories encompassing the vast majority of global assets under management.
This stratospheric rise in PRI membership and the accompanying advancement of the industry’s collective understanding of what effective ESG implementation might look like was driven not least by the recognition that sustainable returns could not be achieved without taking “extra-financial” criteria into account insofar as these criteria reflect fundamental shifts of exogenous (environmental) nature as well as shifts in consumer preferences and public policy.
Getting ahead of the inevitable
The situation with regard to cyber security is not altogether different in scope and complexity to that of climate change or supply chain management, and it seems reasonable to expect that cyber security readiness will become a material factor in evaluating the future performance of any commercial organization. Authors affiliated with LHoFT member Cyberhedge argued as much in an article published in the Journal of Cyber Policy in late 2019, stating that “Cyber security poses significant financial risks to enterprise value, justifying its classification as a governance issue and management quality indicator […] Key regulatory oversight bodies increasingly require companies to manage cyber risk in a manner consistent with other macro-level business risks.”
“Reporting on cyber security risk in financial terms enables the board and full executive management team to manage cyber like any strategic business risk.”
For businesses this means that there is a strong incentive to get ahead of the curve and differentiate positively from the pack by implementing best practices in terms of leadership, organizational culture and processes before such changes become inevitable either due to market dynamics or by political mandate.
Much remains to be done, and investors are beginning to have a closer look. A collaborative investor-investee engagement effort conducted by 55 institutional investors with >$12tn in AUM and 53 companies through 2017-2019 shows that companies are making progress across the board, but that overall scores on vital markers such as reporting on staff training remain lacklustre:
2017-2019 change in corporate reporting relating to cyber security – highlights. Source: PRI
To summarize: the increasing and inevitable digitalisation of our economy entails heightened individual and systemic cyber security risks and the viability of any given business or organisation depends on its ability to implement an effective strategy and appropriate technological solutions to mitigate these risks. Stakeholders, including the investment community, are keeping a close eye on what is increasingly perceived as a material factor of business success.
To quote Gibson once more: “The street finds its own uses for things” and that entails that innovative solution providers stand to gain as ingenuity and persistence are enduring requirements for successful cyber security strategies and products. On this note; applications to our partner PWC’s 2020 cyber security dayare open until June 30 and we strongly encourage anyone with an innovative solution to submit their pitch.
Author: Jérôme Verony – LHoFT Research and Strategy Associate