Another recently evolving reason why cyber threats have become so dangerous is that they are increasingly interlinked with other major threats facing CEOs, as the CEO Imperative Study highlighted. In a politicized and activist environment, cyber threats now closely link to some of the most daunting challenges the world wrestles—including climate change, digitization, geopolitical instability and social inequality.
In the past, cyber threats tended to be fueled by greed and opportunism – perpetrators looking to extort money from organizations and individuals. While these motivations still exist, anger and activism are an increasingly important driver as well. Cyber-attacks are launched simply because the perpetrator wants to make a point, whether it be about the politics of an organization, the damage it is inflicting on the environment or the harm it is causing to society. As the tools used to enable a cyber-attack, become increasingly ubiquitous (and user friendly), we will see the continued increase in ‘hacktivists’ – activists who take action with the aim of using technology to hold large companies and other systemically important organizations to account.
The loss of jobs to automation also stands to be a huge driver of cyber-attacks over the next decade. Even highly educated and skilled workers are at risk of dislocation due to increasingly powerful systems and automation. These highly capable people – particularly those with technology backgrounds – may well engage in cybercrime as a way to both make money and protest against their lot. A rise in fraud and other types of financial crime is a predictable result.
The bad news is that these CEOs’ concerns are well-founded, and the risk is not likely to abate any time soon. And the worse news is that as the ranks of the angry and discontented grow, it won’t be easy to proactively identify hacktivists and cyber criminals, let alone anticipate their attacks. Nevertheless, CEOs can take some practical steps to help mitigate their organization’s exposure to cyber risk:
- Be aware of the need to protect your brand in today’s politicized and activist world. Your brand needs to have the trust of consumers, employees, and the supply chain. If any of these parties lose trust in your brand, cybersecurity attacks may follow.
- Work closely with your national government to understand the regulatory landscape in your country and which local enforcement agencies exist. That way you will know who to contact in an emergency.
- Collaborate with peers within your industry and sector to share insights and knowledge so that you can raise the collective level of awareness and preparedness.
- Work with experts who understand how cyber risk varies in the various markets in which your organization operates, and the programmatic controls that should be put in place for protection. To enhance the Board’s confidence, consider hiring an independent/objective third-party to evaluate and verify the effectiveness of your programmatic controls.
- Make sure you have an effective, risk-based cybersecurity program in place today. Many organizations fail to properly consider cyber risk until they are required to comply with new regulations, or their auditor tells them to act. In fact, cyber management should be ingrained within the DNA of an organization in just the same way that brand management is. The cyber implications of any project should be thought through at the start and the entire organization should have a mindset of security by design.