By Pierre Oger, CEO, EGERIE
Cyber threats have risen to the third most likely risk among industry leaders, according to the Global Risks Report released by the World Economic Forum in Davos in 2018. In 2019, they recognize cybercrime as a major risk. While COMEXs and BoDs tend to be aware of the challenges that cyberattacks pose to their businesses, they are struggling to develop a real effective and agile strategy to counter cyber risks. While the next crisis could be digital, after this pandemic it is more essential than ever that leaders use cyber as a real strategic lever to ensure the growth and sustainability of their business.
It is in this dynamic and delicate context that we support companies in the design of a new cyber strategy, providing executives with tools to better assess their organizations’ exposure to risk, their ability to cope with an incident and to support them to find new performance levers.
It is imperative that cybersecurity be an integral part of a company’s strategy. The issue has become crucial because of the multidimensional impact that a cyberattack can have. Many examples illustrate the firepower of hackers. After the multinational manufacturer Saint-Gobain saw its turnover of more than 200 million euros melted in the wake of the NotPetya and Equifax attack, which lost its customers’ personal data and, in turn, 35% of its valuation in a few days; consulting company Altran suffered a ransomware event in 2019 at an estimated cost of 20 million euros. The high-end French-headquartered lingerie group Lise Charmel is in the process of legal redress after a fearsome cyberattack which crippled their supply chain communications. It is not just household names – SMEs, particularly fragile and exposed, are the prime prey of cybercriminals : the SME company Clermont Parts, specialists in household appliance parts and based in Clermont-Ferrand (Puy-de-Dôme), was forced to shut down after being the target of a cyberattack in 2017. Strategic European companies such as the British company Elexon, which acts as an intermediary between electricity producers and energy seekers (and is designated part of the critical national infrastructure), were also affected. In the age of continuous information, the company’s image can be quickly and completely damaged. « It takes 20 years to build a reputation and less than 5 minutes to ruin it. Let’s think about that and you’ll see your business differently », recalls Warren Buffet.
Beyond the simple degrading of IT, all a company’s activity can be destroyed resulting in major financial losses as well as an impact on the company’s image and reputation. In an era of transparency and ongoing justification, companies must respond as much to financial and societal pressures as they have to comply with enhanced compliance such as, the GDPR or the European Network and Information Security (NIS) directive to name but two. Companies must also protect their intangible assets, the data they hold, through effective and appropriate cybersecurity functionality such as risk analysis, encryption, and strong authentication amongst others. To achieve this, it is the responsibility of managers to understand both the nature and value of what they need to protect – and then, since each company is unique, to know the type of risks and threats that their company is and could face. Only then can a company finally put in place a real cyber protection strategy which will be carried out by all employees.
Board of Directors and COMEX members are overloaded with information. They have to make decisions and to make arbitrations quickly and accurately. Companies must therefore provide the key tools and indicators, in an easily understandable format, to CIOs and allowing them to present meaningful information to the leadership team and to retain the attention of leaders when it comes to assessing their risks, their assets and their needs in order to become cyber-resilient as an organization.
Dynamic cyber risk mapping is essential to define those protective actions that need to be deployed immediately, as well as adaptations needing to be put in place in the face of the changing risks and your specific situation. « The current crisis has rethought our business models. This requires re-analyzing all the risk and cyber analyses, as many companies have set up telework with an unprepared system opening. This has created loopholes that cybercriminals will not fail to exploit.» Thierry Delvile, partner in PwC’s Cyber Intelligence division.
Businesses have entered a new digital dynamic, which has been massively accelerated by the health crisis. This is an opportunity for all of us to build a resilient digital future and companies need to incorporate this change of mindset to both survive and to prosper. The current situation shows us that we are capable of that. To ensure its resilience, the company must develop a sound methodology based on a comprehensive risk analysis – and with proven benchmarking skills, we want to be a enabler for companies that need to develop their cyber resilience. This holistic approach provides decision-makers with the right elements for informed decision-making, using simple, intuitive, and clear indicators, thereby promoting sensible and prioritized investment choices and resource allocation. In this world, fundamentally, Cyber should be approached as an investment and not as a cost. « The implementation of cybersecurity tools can avoid heavy financial losses, data theft, etc. that impact the company’s image and reputation with customers, investors… Cyber resilience is therefore a tool for trust that can be usefully valued and valued. Another point that we are putting into perspective during the operations of the M and A (mergers and acquisitions) and which will certainly be, for future operations, in the wake of this crisis of COVID-19 » Thierry Delville.
Today, businesses are entering a period of economic crisis for some, and economic uncertainty for others. After decades of near-continuous growth, the world is expected to experience a historic recession and the worst economic crisis since 1929… In this context, it is therefore likely that investments in cyber are diminishing, but some budget cuts are having an impact on the sector or at least that many projects are slowed down. However, it is vital to keep in mind the strategic dimension of the company’s digital security which could well, failing that, become the equivalent of the second wave of COVID that we all fear !
« Governing is planning », wrote Emile de Girardin, a French journalist and politician. Because cyber risk is cross-discipline, it can impact all a company’s functions. The role of the Board is to anticipate risks to the business to eliminate them or ensuring the company is able to continue to operate in degraded mode if a crisis occurs. The CIO must therefore be able to find a listening ear within the Board and the Finance department who have the resources to develop the company’s cybersecurity. With a high level of data intelligence, the finance department can now perform various simulations using predictive analysis. That is why we advocate the establishment of a direct line between Finance and the CIO and this methodology would be an optimal structuring for ALL companies that have made digital a strategic priority. Finally, there is the culture of the company and the awareness of all employees who must be informed of, and trained in, cyber risks. Everyone has a key role to play.
It is not useless, in this period, to remember that « To live, one must maintain all its vital functions, to die, it is enough to destroy one! » as Bruno Luirard, Founding Partner and President of « The Voice of Men » points out .
Cybercrime damage is expected to reach $6 trillion per year by 2021. The manager must therefore definitely think of cyber as a strategic pillar of his company to protect it from threats, but also to ensure and think of its growth and sustainability by promising this dimension in the eyes of its partners, employees, customers or investors, who are increasingly anxious to place their trust in the hands of responsible companies.