It’s been over a year since hackers broke into the systems of one of the three largest credit reporting agencies, stealing the personal information of nearly 150 million Americans. Since then, one thing has become clear: Cyberattacks aren’t getting any smaller. In November, one of the world’s biggest hotel chains revealed that hackers had compromised their database, snatching the personal details of about 500 million customers.
The increased scale, frequency, and resulting legal exposure of these kinds of attacks means that the ability to identify, manage, and mitigate cyber risk is now an essential skill for business leaders. Here’s why.
Cybersecurity risk is business risk
For big companies, cyber attacks aren’t just bad PR, they’re also bad business. The average cost of a single cyber attack is $3.86 million, according to the Ponemon Institute, a research center focused on privacy, data protection, and information security policy. That price tag is, of course, much bigger for larger companies with more customers. A large data breach exposing 50 million records, for example, can cost as much as $350 million, according to Ponemon. Attacks like the ones mentioned above can come can leave large corporations billions of dollars poorer — even before the costs associated with the inevitable class-action lawsuits.
In other words, there’s a direct link between a company’s vulnerability to cyberattacks and its bottom line. This is why cybersecurity can’t be solely within the purview of corporate IT departments or chief information officers, argues Eric Rosenbach, co-director at Belfer Center for Science and International Affairs at Harvard Kennedy School.
“Cybersecurity is more than just an IT issue — it impacts every level of an organization,” Rosenbach said. “Cybersecurity is about risk management and who better to address risk management holistically than the organization’s leaders? Leaders need to be aware of the threats and challenges facing their organization, in order to effectively allocate resources to mitigating cyberattacks.”
The problem is that few business leaders have the background and training required to even ask the essential questions about their organizations’ cybersecurity preparedness, let alone answer them. This is why HarvardX, one of Harvard University’s online learning programs, has developed a course designed to give corporate leaders this essential education. Through the program, working professionals learn how to assess their organizations’ security vulnerabilities, how to build an incident response plan, and, in general, how to articulate the importance of cyber risk management. Learning these skills will give them the knowledge they need to protect the data of their organizations and their customers.
While leadership is key to making cybersecurity an organizational priority, that can’t happen without organizational buy-in.
One way to understand today’s corporate cybersecurity environment is that, with the rise of remote work, cloud technology, and the bring-your-own-device movement, companies have more security vulnerabilities than ever. Every employee, server, and connected device is a potential weak point. This is particularly true with email, which remains a real threat for companies across industries. In a recent poll of 1,300 IT security decision makers, 56 percent said that phishing attacks were the top security threat they faced.
This is why, to truly protect their digital infrastructure, companies must invest in cybersecurity training programs that give employees the skills and knowledge they need to defend themselves against hackers. The best of these efforts are more elaborate than formal classroom training programs. To educate employees about how to spot phishing emails, for example, many companies run internal mock phishing tests, which mimic the methods and style of phishing emails. The results of these tests are then shared with the organizations, along with detailed explanations of the specific features of the fake phishing email that tricked unwitting employees.
The evolving nature of cybersecurity underscores the importance of keeping leadership — both today’s and tomorrow’s — educated about threats and where they will come from. This is why the last module of Harvard’s cybersecurity course focuses on some of the emerging threats and challenges, such as artificial intelligence, big data, and quantum computing. Rosenbach said that these topics will only become more prominent components of the course in the future.
“Threat actors are getting smarter and more sophisticated in their attacks. The technology is always changing too, so the good guys need to adapt how we look for breaches and prevent them from happening,” he said.