Cybersecurity: keeping the ‘crown jewels’ safe online is everyone’s businessFollow @PwC
Author: Mark Lobel, Partner, PwC US
At its core, every company I’ve ever encountered has its own digital ‘crown jewels’. By that, I mean the media content, customer data, email, product designs or other business-critical intellectual property that – if compromised or stolen – could severely undermine a company’s reputation and revenues, or even destroy its business. These are the assets that drive cash flows, competitive advantage and shareholder value. And I believe that protecting them shouldn’t be seen just as a technology challenge, but as a major strategic business priority.
As cyberattackers – including organised criminals, terrorists and state-backed organisations – become increasingly sophisticated, numerous and well-funded, the stakes are high and rising. But despite this, my experience across many industries suggests that the security of digital information – cybersecurity – doesn’t always receive the attention it deserves at board level. All too often, at least until a major breach occurs, it’s still viewed as the responsibility of the IT team. But the reality is that effective cybersecurity is the linchpin for safeguarding any company’s most valuable assets.
…coupled with rising vulnerability
We look at the specific cybersecurity challenges facing companies in the entertainment and media sector in this new article. And those challenges are growing: in PwC’s 2015 Global State of Information Security Survey, entertainment and media executives reported a 50% jump in incidents detected over the past year. In my view, the drivers behind this disturbing finding – including the growing difficulty of staying a step ahead of the attackers – are mirrored in most other industries.
What’s more, these threats are increasing at a time when all businesses’ vulnerability to attack is also on the rise. This is due to greater digital connectivity between companies in ‘business ecosystems’, an increasing dependence on technology, and the fact that it’s simply no longer realistic to safeguard all data at the highest level of security.
Three steps to a more secure business
Faced with this situation, business leaders are sometimes unsure where to focus their efforts. The key is that all board members should work in a coordinated way to recognise the potential impact from evolving threats, taking into account the motivations and capabilities of their adversaries. With this foundation in place, my experience suggests that companies should then take the following three steps.
First, make cybersecurity everyone’s business. It’s crucial to elevate the role of information security in the organisation and emphasise that it’s a strategic business issue. Cybersecurity should be as much a concern to C-suite executives as it is to the IT team. It’s also the business of employees, contractors, third-party vendors, and other ecosystem partners. And, in fact, we’re already seeing cybersecurity rise up the CEO agenda. CEOs polled in our recently launched 18th Annual Global CEO Survey rated cybersecurity in their top three most strategically important digital technologies for their organisations. And 53% said it’s ‘very important’ strategically – a higher proportion than for any other type of digital technology we asked about.
Second, strengthen the ecosystem. The integrity and stability of any business is now more dependent than ever before on the other companies in its digital ecosystem. Increasing reliance on collaborators, vendors and third-parties means organisations must integrate these external partners into their cybersecurity strategy. But in doing so, it’s vital not to overlook the threats from within: the biggest problems are often caused unwittingly by a company’s own employees - for example, by failing to change default passwords.
Third, identify and protect the most critical assets. As I highlighted earlier, not all information assets are equal in value. So companies must determine which information assets are their ‘crown jewels’ and provide these with enhanced protection. This means knowing not only which assets they are, but where they’re located at any given time, and who has access to them.
Remember: people and culture trump technology and models
As companies take these steps, many face a further challenge in that their approach to managing cybersecurity risks hasn’t kept pace with the threats. This is because the traditional information security model – compliance-based, perimeter-oriented and reactive – doesn’t address today’s realities. As a result, I’ve seen some companies that have spent millions and millions on security products and services built on outdated models.
But, at the root, the barriers to effective cybersecurity are more around people and behaviour than technologies. A collaborative approach is needed where those in the digital value chain share information and pool resources while maintaining protection and vigilance through appropriate technology tools. This can be the most cost-effective solution which also delivers tangible security benefits for everyone involved. CEOs in our latest CEO Survey recognise that their own support in championing the use of digital technologies is key to ensuring successful outcomes from their digital investments. The CEO must set the tone and provide the support to make sure that keeping an organisation’s crown jewels safe is everyone’s business.
Mark leads the PwC US and Global security practices focusing on Technology, Information Communications, Entertainment and Media (TICE) industries. He specialises in cybersecurity and IT controls, with experience designing, implementing, benchmarking, and assessing organisational security strategies and technologies. Read more