10 May 2014

THE RISING STRATEGIC RISKS OF CYBER ATTACKS: MCKINSEY REPORT

May 7, 2014 · by Fortuna's Corner 

The worldwide global risk management and consulting firm McKinsey and Company conducted a study — in conjunction with the World Economic Forum — on the outlook with respect to cyber attacks and the cyber risk in the months and years ahead, The result is a quarterly report — attached at the link above — with the tite, “The Rising Strategic Risks Of Cyber Attacks.”

Tucker Baily, Andrea Del Miglio, and Wolf Richter write that “more and more business value and personal information worldwide are rapidly migrating into digital form on open and digitally interconnected technology platforms. As that happens, the risks from cyber attacks become increasingly daunting. Criminals pursue financial gain through fraud and identity theft; competitors steal intellectual property, or disrupt business to grab advantage; “hacktivists” pierce online firewalls to make political statements.”

The authors note that “research conducted by McKinsey and the World Economic Forum, suggests that companies are struggling with their capabilities in cyber risk management. As highly visible breaches occur, with growing regularity, most technology executives believe that they are losing ground to attackers. Organizations large and small lack the facts to make effective decisions, and traditional “protect the perimeter,” technology strategies are proving insufficient. Most companies also have difficulty quantifying the impact and risk mitigation plans. Much of the damage [cyber] results from an inadequate response to a breach [Target], rather than the breach itself.”

“Complicating the matter further for executives,” the authors note, “mitigating the effects of [cyber] attacks often requires making complicated trade-offs between reducing risk and keeping pace with business demands. Only a few CEOs realize that the real cost of cyber crime stems from delayed, or lost technological innovation — problems resulting in part from how thoroughly companies are screening technology investments for their potential impact on the cyber risk profile.”

McKinsey notes that “these findings emerged from interviews with more than 200 chief information officers, chief information-security officers, regulators, policy-makers, technology vendors, law-enforcement officials, and other kinds of practitioners in seven sectors across the Americas, Europe, the Middle East, Africa, and Asia. McKinsey also drew on a separate McKinsey executive survey on cyber risk — supplementing this research with an analysis of McKinsey Global Institute (MGI) data on the value-creation potential of innovative technologies. It showed that the economic costs of cyber crimes could run into the trillions of dollars.”

Areas Of Business Concern

McKinsey highlights “four areas of concern on how executives perceive cyber risks, their business impact, and the readiness of companies to respond:

“More than half of all respondents, and 70 percent of executives from financial institutions, believe cyber security is a strategic risk for their companies. European companies are slightly more concerned than American ones. Notably, some executives think internal threats (from employees) are as big a risk as external attacks.”

“Equally worrisome,” McKinsey notes, “a large majority of executives believe that attackers will continue to increase their lead over corporate defenses. Sixty percent of executives interviewed think the sophistication or, pace of attacks will increase somewhat more quickly than the ability of institutions to defend themselves. Product companies, such as high-tech firms, are most concerned with industrial espionage. The leaking of proprietary knowledge about production processes may be more damaging than leaks about product specifications — given the pervasiveness of “teardown” techniques and legal protections afforded to product designs. Service companies are more concerned about the loss and release of identifiable information on customers and about service disruptions.”

According to McKinsey’s ongoing cyber risk-maturity survey research, “large companies reported cross-sector gaps in their risk-management capabilities. Ninety percent of those most recently surveyed had “nascent,” or “developing” ones. Only five percent were rated “mature” overall across the practiced areas studied (in their full report at the link provided)”. “Notably,” McKinsey “found no correlation between spending levels and risk-management maturity. Some companies spend little; but, do a comparatively good job of making risk-management decisions. Others spend vigorously, but without much sophistication. Even the largest firms had substantial room for improvement. In finance, for instance, senior — nontechnical executives struggled to incorporate cyber risk management into discussions or enterprise risk management; and, often couldn’t make informed decisions — because they lacked data.”

“Concerns about cyber attacks are starting to have measurable negative business implications in some areas. In high-tech, fully half of the survey respondents said they would have to change the nature of their R and D efforts over time. There is a noticeable concern, as well, that cyber attacks could slow down the capture of value from cloud computing, mobile technologies. and health-care technologies. Some 70 percent of the respondents said their security concerns had delayed the adoption of public cloud computing by a year or more, and 40 percent said such concerns delayed enterprise-mobility capabilities by a year or more,” according to the authors.

McKinsey adds that “cyber security controls are having significant on frontline productivity too. About 90 percent of the respondents overall said that controls had at least a moderate impact on it. Half of the high-tech executives cited existing controls as a “major pain point” that limited the ability of employees to collaborate.”

The authors write that “while is broad agreement among executives that concerted efforts by policy-makers, companies, and industry associations will be needed to reduce threats, there is considerable disagreement about how a consensus might take shape. And, executives worry that new regulations may be grounded in outdated techniques and that regulators’ skills and capabilities may be insufficient.”

A Global Economic Penalty

“Looking forward,” McKinsey argues, “if the pace and intensity of [cyber] attacks increase, and are not met with improved defenses, a backlash against digitization could occur, with large, negative economic implications. Using MGI data on the technologies that will truly matter to business strategy, during the coming decade,” McKinsey “estimates that over the next five to seven years, $9T to $21T of economic-value creation, worldwide, depends on the robustness of cyber security environment.”

“Consider for example,” McKinsey argues, “cloud computing. In an environment where a solid cyber resilience ecosystem accelerates digitization, the private and government sectors would increase their use of the public cloud technologies, with enhanced security capabilities — allowing widespread deployment for noncritical workloads. Private clouds would handle more sensitive workloads. In this case,” McKinsey estimates “that cloud computing could create $3.72T in value by 2020. However, an environment of stepped-up cyber attacks, public clouds would be underutilized, given increased fear of vulnerabilities, and higher costs from compliance — with stricter policies on third-party access to data and systems. Such problems would delay the adoption of many systems and reduce the potential value from cloud computing by as much as $1.4T.”

“These dynamics could play out in many areas, with the proliferation of attackers’ weapons leading to widespread and highly visible incidents that trigger a public backlash and push governments to enforce tighter controls, which could dramatically decelerate the pace of digitization.” “Indeed,” concludes McKinsey, “our interviews and workshops with executives from a variety of sectors, — reinforce the view that the cyber security environment may be getting more difficult [to manage and navigate] — and, that early elements of a backlash are already beginning to materialize.”

For more on this report, you can download the full report, “Risk And Responsibility In A Hyper-connected World. V/R, RCP.

No comments: