Cybersecurity is the biggest business risk of our time – something of which we are regularly reminded. Earlier this year, the World Economic Forum named cyberattacks as one of the top five global risks, and the Allianz Risk Barometer also defines cyber incidents as the greatest business risk of our time. At least one in two organizations has been the victim of a successful cyber-attack in the last three years, and one in three more than once. What’s more, we should expect these numbers to be much higher because organizations either don’t notice successful cyber-attacks for a long time – or they try to hide them. We must all expect to face cyber-attacks – as organizations, as a society, and as individuals.
There are two things that people and organizations are still failing to do: Recognizing the special importance of the human aspect of cybersecurity and how to strengthen it and understanding the magnitude of the risk and the far-reaching consequences.
The role of the human factor
“No problem, technology will protect us”. That’s certainly a thought that organizations have had at one time or another. Unfortunately, that’s not the case. Sure, technological protection is essential – but cybercriminals’ primary target remains people. Using social engineering tactics, they are constantly finding new ways to hack into our brains, bypassing technological barriers through emotional manipulation. In the U.S., for example, we are seeing an increase in cybercriminals targeting the children of top executives – family and friends are becoming a social engineering “supply chain.” But also, the basics are still working; phishing campaigns that target our emotions.
Willingness to help and donate money in the face of geopolitical tensions, following time-sensitive instructions
to transfer money out of respect for our CEO, or other emotional triggers still lead to an automatic human response. A fact that cybercriminals continue to exploit with great success.
Currently, 74% of breaches involve the human element, and Forrester predicts this will rise to 90% by 2024. This underscores the critical role of employees in cybersecurity-not only in preventing breaches, but also in mitigating their impact. Leaders must empower their teams to effectively manage these threats.
Consequences of a successful cyberattack.
The second underestimated aspect of cyberattacks is the far-reaching impact of successful hacks: It can lead to the shutdown of critical systems and services, causing operational paralysis. The average time to contain a data breach is 73 days, which can halt business operations and disrupt the supply chain with wider financial implications. The average cost of a data breach is $4.35 million, with direct, indirect, and long-term financial losses.
Cybercriminals can steal money directly through fraudulent transactions, and organizations may be forced to pay ransoms to regain access to their systems. Organizations also face increased costs associated with forensic investigations, legal fees, public relations, investments in new security measures, system repairs, data recovery, and crisis management.
And, of course, business interruption and loss of customer confidence can lead to lost sales and contract cancellations. Publicly traded companies have experienced an average 7.5% drop in stock value following a data breach, with an average market capitalization loss of $5.4 billion.
In addition to financial loss, there is also the risk of intellectual property loss, which can undermine competitive advantage and innovation. Competitors may take advantage of the organization’s weakened state to gain market share.
Of course, there can also be legal and regulatory consequences, such as fines and penalties for failure to comply with data protection laws such as GDPR and NIS2. Executives can also be held personally liable for failing to ensure that the company complies with cybersecurity regulations, or for failing to protect the company from cybersecurity risks and financial loss. In certain jurisdictions, gross negligence in cybersecurity can lead to criminal charges against executives if they’re found to have willfully ignored their responsibilities.
Again, the impact on employees should not be underestimated. The stress and uncertainty caused by a cyberattack can negatively impact employee morale and productivity, as well as employee turnover and recruitment. The experience of a cyberattack can be so unsettling for employees that more than half of office workers say they would reconsider working for a company that has recently suffered an incident, while only a third say they would be unaffected.
Reputational consequences can be severe.
However, the reputational consequences of all of this can be significant. In an era of globalization and digitization, our security is increasingly dependent on that of our partners. As a result, a breach can have far-reaching reputational consequences, particularly in terms of customer confidence and damage to business relationships. Exposure of sensitive customer data can undermine trust, leading to customer churn and difficulty in attracting new customers. Negative publicity from media coverage of the attack can damage the organization’s public image and affect market perception. And the damage to brand reputation can result in reduced market value and competitive advantage.
But there is a truth to all of this: We need to get used to companies experiencing successful attacks. The real reputational damage starts when companies try to hide it and are not transparent about what happened and the extent of the damage. Because that’s when we really start to lose trust. On the other hand, communicating intelligently in a way that partners and customers understand the situation is under control, cybercriminals can’t profit from new information, and that other organizations can learn from the incident is something that will strengthen our industry – and could potentially even lead to positive reputational outcomes in a world of increasing cyber threats.
Don’t let cybercrime rise.
The impact of cyber-attacks is far-reaching, and ad-hoc countermeasures are not enough. Organizations need a holistic risk management approach to cybersecurity, making it a priority for top management and board members.
The good news is that this shift has already occurred: Cybersecurity is a top priority for executives, and they know they need to invest to secure the future of their organizations.
But what else can executives do to respond to these cyber risks? Push for holistic security strategies to mitigate risk in a sustainable way. And engage your employees as the most versatile part of your security strategies to prevent attacks and mitigate the potential consequences. Empower them to learn about security risks, their impact, and how to take responsibility for protecting their business and personal lives through security awareness training and a human risk management approach. Make cybersecurity a shared responsibility and part of your corporate culture to foster secure behavior. Because in this AI-powered, ever-changing threat landscape, it will be your employees who can make a difference in protecting your company. And for them, it’s not just about protecting their business, it’s about protecting their personal lives from cybercrime.
Laura Hartman is a corporate communications executive in Germany. She was mostly recently the Head of Corporate Communications at SoSafe.