Skip to main content
Blog post

Playing Defense with Cybersecurity

As society puts more trust and information into digital systems, companies must consider the role cybersecurity plays for them, and understand how their decisions regarding cybersecurity affect stakeholders.
March 25, 2019
|


Over the past several years, the number of cyberattacks that occur annually has increased dramatically and are projected to increase further each year for the foreseeable future. In 2017, cyberattacks were eighth on the Risks of Highest Concern for Doing Business, as published by the World Economic Forum, bumping that category into the top ten for the first time. The number of hackers themselves is increasing, and they are becoming more sophisticated as people become increasingly familiar with high-level technology. Regardless of whether hackers’ intentions are to do actual harm to the company, or simply gain unauthorized access because they can, companies require progressively creative methods to protect themselves against such attacks and maintain the confidence of those affected by an information breach.

In 2017 the average cost of a data breach was $3.86 million.

To ensure top-level security for themselves and to maintain the confidence of their stakeholders, companies must understand and employ the most recent and reliable cybersecurity practices. Due to a lack of funds, lack of resources, or lack of awareness about the importance of cybersecurity, many companies still neglect to invest adequate resources in this critical issue. According to the Ponemon Institute’s Cost of a Data Breach Study, in 2017 the average cost of a data breach was $3.86 million, meaning a cyber-breach would likely cost a company far more than protection would, both in dollars and in reputation loss. In order to compete with cybersecurity threats, companies should follow some basic best practices.

Stephen Kibsey, instructor of the John Molson Executive Centre’s Sustainable Investment Professional Certification and Adjunct Professor of the Executive MBA Program at the John Molson School of Business says one of the many ways a company can protect itself is by ensuring that cybersecurity is specifically discussed at the board level and with upper-level management. Ensuring communication is in place not only helps companies to avoid cyberattacks and data breaches, but can also help them develop solid strategies and processes to follow, should such an event occur. Promoting upper-level involvement in cybersecurity also allows companies to more easily implement a cybersecurity-savvy culture, which, according to Kibsey, is another best practice of which companies should be aware.

In addition, implementing cybersecurity training is an effective way to ensure that the knowledge and culture of cybersecurity is passed through all levels of employees. By investing in training on a variety of topics within the realm of cybersecurity, companies are much less likely to experience a data breach, especially one caused by negligence of an employee. Currently, human error (i.e. negligence) is responsible for approximately 27 per cent of data breaches according to the Ponemon Institute’s 2018 Cost of a Data Breach Study. Having a team of employees who understand cybersecurity at a mature level ensures that the company has that many more people protecting it from cyberattacks and data breaches, and that many fewer people contributing to them. Due to the aggressive nature of cyberattacks, anybody who is not assisting with the cybersecurity of a company is effectively creating vulnerability.

The transparency and the disclosure about cybersecurity at companies, at this point, is relatively very thin.

When it comes to the company’s stakeholders though, it can be difficult to prove that ample cybersecurity measures are being taken, especially for potential investors who are analyzing the company to ensure that it is a worthy investment. Companies become caught up in a sort of paradox when it comes to sharing such information, because the proof required to ease the minds of stakeholders can also provide potential hackers with the tools they need to more easily access the company’s system. “The transparency and the disclosure about cybersecurity at companies, at this point, is relatively very thin.”  Kibsey says, but some companies are trying alternative methods to assure stakeholders they are taking cybersecurity seriously. For example, Exxon Mobile published the number of unsuccessful unauthorized access attempts that were made on its system in a year. Using indirect methods like this may be one way to prove a company’s maturity in cybersecurity to its stakeholders without making themselves vulnerable to potential threats.

Ideally, companies would put a halt to hacker activity before the hackers were able to enter the system and access the valuable data within, but that’s not realistic. Best practices have adapted over the years to help companies to protect themselves, but the most frustrating aspect of the hacker-company relationship is that the company is always playing defense, because it is next to impossible to anticipate the next move hackers are going to make. Kibsey says there is an element of collaboration that should exist, and already does to some extent, in companies’ efforts to thwart hacker activity. “Companies in a similar industry tend to get together, whether there’s been a breach or not, share information, if they have been breached, maybe share that information with other companies in a similar industry, to tell them, look, if this happened to us it could happen to you,” Kibsey says. “I think where we have to go is the so-called ‘honest players’ have to continue to collaborate and work together to keep the bad guys out.”

Learn more about the Sustainable Investment Professional Certification

 

Connect with JMEC

Back to top

© Concordia University