The global risk of cyberattacks is a real and growing
threat, and could carry a whopping price tag, says McKinsey & Company in a report on
enterprise IT security implications released in January 2014.

What kind of risk? Organizations worldwide are not
“sufficiently protected” against cyberattacks, says McKinsey in its “Risk and responsibility in a hyperconnected world” report.

As a result, the price tag—the material effect of slowing
the pace of technology and innovation due to a lack of cyberresiliency—could be
as high as $3 trillion by 2020. That’s the number three, by the way, followed
by 12 zeros. And it’s a scenario, asserts McKinsey, that senior leadership in
the public and private spheres had best pay attention to.

The report states that if “attackers continue to get
better more quickly than defenders,” as is presently the case, “this
could result in a world where a ‘cyberbacklash’ decelerates digitization.”

The asymmetric effect of a small number of successful
attackers, leading to tighter government restrictions, could mean that:

the world would capture less of the $10 trillion to $20 trillion
available from big data, mobility, and other innovations by 2020—the ultimate
impact could be as much as $3 trillion in lost productivity and growth.

That is the report’s main finding—the global economy has yet
to mount an adequate defense against the rise of cyberattacks. McKinsey and the
World Economic Forum conducted a survey last year of 200 enterprises, tech
vendors, and public sector agencies.

The two other findings of the report are that executives in
enterprise tech have a consensus on the seven best practices for
cyberresiliency, and that cybersecurity is a CEO-level issue.

The executive summary, written by McKinsey consultants David Chinn,
James Kaplan,
and Allen Weinberg, provides valuable information and insights about each of
these findings, and I devote the remainder of this article to outlining their
results.

Main finding: Cyberrisk is a critical social and business
issue.

  • The biggest technology risk that organizations
    in the joint survey face is the “theft of information assets” and the
    “disruption of online processes.” Close to two-thirds of respondents
    characterized the risk of cyberattack as a “significant issue” with “major
    strategic implications.”
  • Cyberdefenders are “losing ground” to
    attackers. Almost 80 percent of executives surveyed said their organizations
    cannot keep up with the “increasing sophistication” of attackers,
    which include nation-states, criminals, and political “hacktivists.”
  • Enterprises do not have the “facts and
    processes to make effective decisions about cybersecurity.” The report
    surveys the approaches of 60 organizations in detail; of these, 34 percent had
    a “nascent” maturity level and 60 percent were “developing.”
  • Current controls required to protect enterprises
    from attack are having a “negative business impact.” Areas noted are
    mobile functionality delays, public cloud deployments, and frontline employee
    productivity. Some CIOs in the survey believe that security requirements drive
    up activity “as much as 20 to 30 percent” in their organizations.

Second finding: Making institutions cyberresilient

“All too often,” states the report, ominously, “security
is the choke-point for any innovative business initiative.” In a “hyperconnected
world,” organizations are more dependent on their information systems, and
become more open to cyberattacks.

New, as-yet-untested models of security are needed.
Nevertheless, executives in the survey displayed “an emerging consensus”
on what those models should be. Here are the seven cybersecurity best practices
described in the report:

  1. Prioritize
    information assets based on business risks.
  2. Provide
    differentiated protection based on importance of assets.
  3. Deeply
    integrate security into the technology environment to drive scalability.
  4. Deploy
    active defenses to uncover attacks proactively.
  5. Test
    continuously to improve incident responses.
  6. Enlist
    frontline personnel to help them understand the value of information assets.
  7. Integrate
    cyberresistance into enterprise-wide risk-management and governance processes.

Third finding: Cyberrisk is a CEO-level issue.

“The stakes are high,” write the authors, since
trillions of dollars are at risk. Given the “degree of coordination and
cultural change” that robust cybersecurity demands from organizations, it
must be addressed by the “most senior business and public leaders”
around the globe.

According to the report, leaders have to make clear that
they expect:

  • an
    honest, granular assessment of existing capabilities and risks, given their
    business model
  • alignment
    on the most important information assets and a clear approach for providing
    them with required protection
  • a road
    map for getting to a scalable, business-driven cybersecurity operating model
  • a
    well-practiced set of skills for responding to breaches across business
    functions

As a closing thought, it seems that trust is increasingly becoming a
necessary operating principle in the digital age. In the wake of spying
scandals and corporate data breaches over the past year, people are more
concerned about greater risks both to themselves and to organizations.

If $3 trillion in lost benefits does not grab your
attention, then perhaps we shouldn’t talk about robust IT security any further.
With the risks we all face, McKinsey is spot-on in its call to mount more
active and effective defenses to cyberattacks.

TechRepublic readers can freely access the full PDF version of the report on the McKinsey & Company website.