Cybersecurity ismore than an ITchallenge—it’s abusiness imperativeHighlightsBusiness leaders must recognize the exposure andbusiness impact that comes from operating withinan interconnected global ecosystem.They need to appreciate the evolving, targetedthreats to their business model and the deepmotivations and capabilities of their adversaries.By evaluating which information assets are the“crown jewels” of the business, companies candetermine which ones require enhanced protection.The CEO and board are responsible for ensuringthe company designs and implements an effectivecybersecurity program.When business and government leadersgathered at this year’s World EconomicForum in Davos, they focused onkey emerging global risks, includingcybersecurity. Our own research withbusiness leaders has revealed thatcybersecurity is a growing concern.1However, many CEOs and boards have yetto truly appreciate the seriousness andmagnitude of this critical business issue.Just how crucial is cybersecurity? Industryanalysts have drawn parallels to thesentiment before the financial crisis whenrisks were not properly identified, assessed,and managed. It took the crisis for businessleaders to fully appreciate the extent of theirexposure within the interconnected globalfinancial system.Today, cyberthreats are a clear and presentdanger to the global business ecosystem. Yetmany enterprises place the responsibility formanaging cyberthreats solely in the hands oftheir technology team.It is time for business leaders to see cyber-threats for what they are—enterprise riskmanagement issues that could severelyimpact their business objectives.A changed business environmentdemands a new approach:1. A focus from enterprise to businessecosystems Businesses are moreinterconnected, integrated, andinterdependent—creating dynamicand evolving business ecosystems.Trusted business relationships andinteractions with customers, serviceproviders, suppliers, partners, andemployees rely on securely sharinginformation assets and critical data.2. Cyberattacks are impairing businessesIn the ecosystem, businesses arecompletely dependent on technologyand connectivity. This amplifies thebusiness impact of cyberattacks, affectingintellectual property, competitiveadvantage, operational stability,regulatory compliance, and reputation.3. Not all information assets are equalInformation assets continue to proliferateat an extraordinary rate. Safeguardingall data at the highest level is just notrealistic or possible. Loss of some typesof data is troubling; loss of others candestroy key elements of your business.April 201310Minuteson the stark realities of cybersecurity1 http://pwc.blogs.com/ceoinsights/2013/01/todays-ceos-worry-more-and-have-more-to-worry-about.html
At a glanceHistorical ITSecurity PerspectivesToday’s LeadingCybersecurity InsightsScope of the challenge • Limited to your “four walls” andthe extended enterprise• Spans your interconnected globalbusiness ecosystemOwnership andaccountability• IT led and operated • Business-aligned and owned; CEOand board accountableAdversaries’characteristics• One-off and opportunistic;motivated by notoriety, technicalchallenge, and individual gain• Organized, funded, and targeted;motivated by economic, monetary,and political gainInformation assetprotection• One-size-fits-all approach • Prioritize and protect your “crownjewels”Defense posture • Protect the perimeter; respond ifattacked• Plan, monitor, and rapidly respondfor when attackedSecurity intelligenceand information sharing• Keep to yourself • Public/private partnerships;collaboration with industryworking groupsCyberattacks are accelerating at an unprecedented rate—and your approach tocybersecurity must keep pace. Here’s how businesses are adapting to the new reality:
01In the last two decades, the technology revolutionhas dramatically changed the way companies dobusiness. Traditional boundaries have shifted;companies operate in a dynamic environmentthat is increasingly interconnected, integrated,and interdependent. Your ecosystem includes notonly employees, partners, and customers but otherconstituents like law firms, investment banks,service providers, government agencies, regulators,industry affiliations, and even competitors.The ecosystem is built around a model of opencollaboration and trust—the very attributes beingexploited by an increasing number of globaladversaries.Their risk is your riskConstant information flow is the lifeblood of thebusiness ecosystem. Your data is distributed anddisbursed throughout the ecosystem, expandingthe domain you need to protect. The integrity andstability of your business is now, more than ever,dependent on those in your ecosystem.Adversaries actively target the vulnerabilitiesthroughout the ecosystem—significantly increasingthe exposure and impact on the business. Forexample, a professional services firm wasspecifically targeted in order to obtain strategic dealdocuments related to one of its clients. In anotherecosystem breach, several internationalhigh-tech firms were hacked through a penetrationwithin their supply chain.Old security models are inadequateWhile cybersecurity risks have dramatically evolved,the approach businesses use to manage them hasnot kept pace. The traditional information securitymodel—one that is compliance-based, perimeter-oriented, and aimed at securing the back-office—does not address the realities of today.When looking beyond the enterprise boundaries,companies need to re-evaluate security prioritiesand allocations. Cyber-risk management in thebusiness ecosystem is a complex problem, requiringmanagement engagement, sophisticated techniques,and new skills and capabilities.A new approach for a new worldCompany leaders and boards can no longer affordto view cybersecurity as a technology problem; thelikelihood of a cyberattack is now an enterprise riskmanagement issue. Senior executives who viewcybersecurity as an integral part of the businessagenda position their organizations to take fulleradvantage of ecosystem opportunities. Knowledgeis power; gaining ongoing insight into ecosystemvulnerabilities and threats helps them anticipateand plan for risks that might sideline others who areless informed.Your businessecosystem createsboth opportunityand risk“When the financial crisis of 2008 hit,many shocked critics asked why markets,regulators, and financial experts failed tosee it coming. Today, one might ask thesame question about the global economy’svulnerability to cyber-attack. Indeed, theparallels between financial crises and thethreat of cyber meltdowns are striking.”—Kenneth Rogoff, Harvard University professor andformer chief economist at the International MonetaryFund22 “Will Governmental Folly Now Allow for a Cyber Crisis?”Project Syndicate, July 2012, http://www.project-syndicate.org/commentary/will-governmental-folly-now-allow-for-a-cyber-crisis-
02Why cyberthreatshave becomebusiness risksWorld Economic Forum Global Risk Landscape Top 10Cyberattacks were rated the sixth most likely global risk to occur—of 50 potential risks (top quadrant shown below)Source: World Economic Forum Global Risk Landscape 2013Lessimpact MoreimpactLess likely More likelyCyberattacksChronic fiscalimbalancesWater supplycrisesFailure of climatechange adaptationRising greenhousegas emissionsSevereincomedisparityChroniclabor marketimbalancesPersistentextreme weatherPervasive entrenchedcorruptionMismanagement ofpopulation ageing11023456789When CEOs and boards evaluated their marketthreats or competitors, few previously consideredcyberthreats. Today, the sheer volume andconcentration of data, coupled with easy globalaccess throughout the business ecosystem,magnifies the exposure from cyberattack. Thereward of a successful attack and the ability toremain anonymous and undetected presents anopportunity for anyone with a computer andInternet connection to infiltrate the businessecosystem.Adversaries—motives, means, and methodsNation states, organized crime, hacktivists,terrorists, and even employees are all potentialadversaries. These adversaries are sophisticated,determined, and patient, and they will targetindividuals, companies, or industries to gainadvantage. Their motives range from economicespionage, to rapid monetization of information, toadvancing political agendas. Cultural conventionand geographic or legal boundaries don’tconsistently apply in the global business ecosystem,leading to a low-risk, high-reward equation for youradversaries.Numerous attack groups are backed by limitlessresources, and in some cases are funded or informedby foreign intelligence services. Oftentimes, attackgroups are able to devote highly talented individualswho are experts in technology, business process,and espionage tactics.From our extensive experience working with a rangeof companies, we have witnessed adversaries usea wide array of methods and tactics to gain andmaintain access while going undetected. Often theattack begins simply with an e-mail that contains anattachment or a link to a web site that compromisesthe victim’s computer—and ultimately the corebusiness.Anticipating threats in your ecosystemOrganizations must establish an ongoingcapability to provide insight and intelligence onthe cyberthreats facing the business. Armed withthis insight, business leaders can anticipate anddynamically react to changes in their companies’cyberthreat profile.With cyberattacks posing a constant threat to theecosystem, companies are beginning to understandthat the real goal is to minimize, rather thaneliminate, the damage and disruption they can do tothe business. By considering threats now—insteadof waiting until a breach is brought to light—theycan limit the negative impact, such as lost revenue,competitive disadvantage, reputational damage,reduction of shareholder value, and erodingcustomer goodwill.
03What informationreally matters—toyour business andyour adversariesWhat’s most at risk?Technology and business information of most interest to cyberattackersSource: Office of the National Counterintelligence Executive, Report toCongress on the Foreign Economic Collection and Industrial Espionage,2009-2011, October 2011.Information andcommunicationtechnologiesMilitarytechnologiesCleantechnologiesAdvanced materials andmanufacturing techniquesHealthcare, pharmaceuticals,and related technologiesAgriculturaltechnologiesBusiness dealsinformationEnergy and other naturalresources informationMacroeconomicinformation$Organizations generate enormous amounts ofdata. Some of it is insignificant, but some is missioncritical and will cripple the business if exposed.Putting equal priority on all of it is not practical, costeffective, or necessary.What are your crown jewels?Companies must determine what their mostvaluable information assets are, where they arelocated at any given time, and who has access tothem. Crown jewels are those information assetsor processes that, if stolen, compromised, or usedinappropriately would render significant hardshipto the business. Examples include product designs,hedge fund trading strategies, new market plans,and executive communications.Too often, organizations apply a “one-size-fits-all”model to protecting information assets. This justdoesn’t work. Organizations must hold businessexecutives accountable for protecting the crownjewels in the same manner as they are accountablefor financial results and other key businessmanagement metrics.The magnitude may not be felt for yearsIf R&D information, intellectual property, tradesecrets, or other high-value information iscompromised, the business impact may not be feltimmediately. It may take months oryears before the business feels the full effect oncompetitive advantage or degradation of cash flows.In some cases, the fallout has been so severe thatprominent companies ultimately went out ofbusiness. In fact, some public companies disclosed—after the fact—that they had been subjected tolong-term hacking campaigns that destroyed thehealth of the business. One telecommunicationsCEO famously stated that he did not believe thehacking was a “real issue.”3However, in retrospect,a senior security official at the company indicatedthat he had no doubt that extensive cyberattacks onthe company contributed to its downfall.4As adversaries continually evolve, so mustbusinessesCyberattacks are about economic advantage.Attackers are constantly evolving their capabilityto exploit vulnerabilities inherent in the globalbusiness ecosystem. Yet companies have notadapted, investing billions of dollars on securityproducts and services that are built on outdatedsecurity models. What’s needed is an evolvedapproach in which businesses allocate and prioritizeresources to effectively protect the crown jewelstoday and into the future.3 http://articles.washingtonpost.com/2012-02-14/business/35442181_1_hackers-gmail-accounts-high-profile-hack4 http://www.cbc.ca/news/business/story/2012/02/15/nortel-hacking-shields-as-it-happens.html
04CEOs and boards that keep a sustained focus oncybersecurity do more than protect the business;they reap bottom-line benefits. We call thisapproach Awareness to Action, meaning that allactivities and investments are driven by the bestavailable knowledge about information assets,ecosystem threats, and vulnerabilities, and areevaluated within the context of business activity.Here are three areas to initially consider whenassessing your cybersecurity posture.1. Enhance your cybersecurity strategy andcapability• Is an integrated cybersecurity strategy a pivotalpart of our business model? Does the strategyconsider the full scope of security: technical,physical, process, and human capital? Have weapplied the required resources and investments?• Do we have the security capability to adviseinternal business leaders on critical threats,emerging technology, and strategic initiatives?• Can we explain our cybersecurity strategy to ourstakeholders? Our investors? Our regulators? Ourecosystem partners?2. Understand and adapt to changes in thesecurity risk environment• Do we know what information is most valuableto the business? Have we prioritized securityto protect those assets accordingly? Have wequantified the business impact if the assets wereimpaired?• Do we understand the significant changes inthe threats facing our business? Who are ouradversaries? What would they target? Whattechniques might they use?• Are we actively acquiring and adapting to internaland external sources of intelligence? How areour controls and countermeasures responsive toevents and activities? Are we actively involved inrelevant public-private partnerships?3. Advance your security posture through ashared vision and culture• Does the chief information security officerrole report, independent of IT, to the boardor an executive leadership team committed tocybersecurity?• Do employees understand their role in protectinginformation assets—have we provided thenecessary tools and training?• What assurances do we require from suppliersand service providers? Do we actively monitor,audit, and remediate our risk portfolio? Do wehave standards in place to protect our assetsthroughout the ecosystem?Gaining advantage:Awareness to ActionUnlikely tooccur,not sure,don’t knowLikelyto occurGlobal CEOs20%80%The majority of CEOs would be blindsided by acyberattack that could cripple the businessHow likely is a cyberattack or major disruption of the Internet?Base: Global 1,330Source: PwC, 16th Annual Global CEO Survey, 2013
At a glanceUpcoming10Minutes topicsManaging tax uncertainty throughoperational effectiveness The tax function is an overlooked area forimprovement. It is frequently bogged down byrigidity and antiquated systems, and unpreparedfor change. Even worse, its antiquated systemsrepresent a hidden source of risk to the companyand to the longevity of company CFOs. The taxfunction is ripe for systemic change, similar to howLean, Six Sigma, and enterprise resource planninghave transformed other company functions. Theresult: improved risk management, forecasting,analytical abilities—even cash savings.Getting eco-efficiency rightNearly half (48%) of global CEOs say they planto support eco-efficiency in the coming year byreducing environmental impacts. But chances aregood these efforts will stall. Projects that are bothcost-effective and good for the environment maynever get off the ground. In this 10Minutes we’lllook at current approaches for making the businesscase for environmental initiatives, give examples ofindirect benefits, and show how intangibles can befactored into your decisions.Industry series: Pinpointing potential inChina’s health reformWith the approval of the 12th Five-Year Plan,China’shealthcare industry is—and will continue to be—flush with investment opportunities. Strongerinfrastructure, expanded insurance coverage,and a growing number of private hospitals meanforeign investors can partner with the country morereadily than ever. This 10Minutes explores thecurrent and future options for business in the open,decentralized healthcare field of China.