The global risk of cyberattacks is a real and growing threat, and could carry a whopping price tag, says McKinsey & Company in a report on enterprise IT security implications released in January 2014.
What kind of risk? Organizations worldwide are not "sufficiently protected" against cyberattacks, says McKinsey in its "Risk and responsibility in a hyperconnected world" report.
As a result, the price tag—the material effect of slowing the pace of technology and innovation due to a lack of cyberresiliency—could be as high as $3 trillion by 2020. That's the number three, by the way, followed by 12 zeros. And it's a scenario, asserts McKinsey, that senior leadership in the public and private spheres had best pay attention to.
The report states that if "attackers continue to get better more quickly than defenders," as is presently the case, "this could result in a world where a 'cyberbacklash' decelerates digitization."
The asymmetric effect of a small number of successful attackers, leading to tighter government restrictions, could mean that:
the world would capture less of the $10 trillion to $20 trillion available from big data, mobility, and other innovations by 2020—the ultimate impact could be as much as $3 trillion in lost productivity and growth.
That is the report's main finding—the global economy has yet to mount an adequate defense against the rise of cyberattacks. McKinsey and the World Economic Forum conducted a survey last year of 200 enterprises, tech vendors, and public sector agencies.
The two other findings of the report are that executives in enterprise tech have a consensus on the seven best practices for cyberresiliency, and that cybersecurity is a CEO-level issue.
The executive summary, written by McKinsey consultants David Chinn, James Kaplan, and Allen Weinberg, provides valuable information and insights about each of these findings, and I devote the remainder of this article to outlining their results.
Main finding: Cyberrisk is a critical social and business issue.
- The biggest technology risk that organizations in the joint survey face is the "theft of information assets" and the "disruption of online processes." Close to two-thirds of respondents characterized the risk of cyberattack as a "significant issue" with "major strategic implications."
- Cyberdefenders are "losing ground" to attackers. Almost 80 percent of executives surveyed said their organizations cannot keep up with the "increasing sophistication" of attackers, which include nation-states, criminals, and political "hacktivists."
- Enterprises do not have the "facts and processes to make effective decisions about cybersecurity." The report surveys the approaches of 60 organizations in detail; of these, 34 percent had a "nascent" maturity level and 60 percent were "developing."
- Current controls required to protect enterprises from attack are having a "negative business impact." Areas noted are mobile functionality delays, public cloud deployments, and frontline employee productivity. Some CIOs in the survey believe that security requirements drive up activity "as much as 20 to 30 percent" in their organizations.
Second finding: Making institutions cyberresilient
"All too often," states the report, ominously, "security is the choke-point for any innovative business initiative." In a "hyperconnected world," organizations are more dependent on their information systems, and become more open to cyberattacks.
New, as-yet-untested models of security are needed. Nevertheless, executives in the survey displayed "an emerging consensus" on what those models should be. Here are the seven cybersecurity best practices described in the report:
- Prioritize information assets based on business risks.
- Provide differentiated protection based on importance of assets.
- Deeply integrate security into the technology environment to drive scalability.
- Deploy active defenses to uncover attacks proactively.
- Test continuously to improve incident responses.
- Enlist frontline personnel to help them understand the value of information assets.
- Integrate cyberresistance into enterprise-wide risk-management and governance processes.
Third finding: Cyberrisk is a CEO-level issue.
"The stakes are high," write the authors, since trillions of dollars are at risk. Given the "degree of coordination and cultural change" that robust cybersecurity demands from organizations, it must be addressed by the "most senior business and public leaders" around the globe.
According to the report, leaders have to make clear that they expect:
- an honest, granular assessment of existing capabilities and risks, given their business model
- alignment on the most important information assets and a clear approach for providing them with required protection
- a road map for getting to a scalable, business-driven cybersecurity operating model
- a well-practiced set of skills for responding to breaches across business functions
As a closing thought, it seems that trust is increasingly becoming a necessary operating principle in the digital age. In the wake of spying scandals and corporate data breaches over the past year, people are more concerned about greater risks both to themselves and to organizations.
If $3 trillion in lost benefits does not grab your attention, then perhaps we shouldn't talk about robust IT security any further. With the risks we all face, McKinsey is spot-on in its call to mount more active and effective defenses to cyberattacks.
TechRepublic readers can freely access the full PDF version of the report on the McKinsey & Company website.
Brian will do client work for AtTask.
Brian Taylor is a contributing writer for TechRepublic. He covers the tech trends, solutions, risks, and research that IT leaders need to know about, from startups to the enterprise. Technology is creating a new world, and he loves to report on it.