You might think business failure is the key reason why CEOs get fired; few would have thought cybersecurity failure is becoming a crucial issue too.
In February 2011, a US company that is helping the federal government track down cyberactivists has itself been hacked by the very same cyberactivists, a famous leaderless and anarchic hacker group. This embarrassing hacking campaign exposed the personal information of the company’s CEO, resulting in his resignation.
In April 2011, this same cyberactivist group attacked a Japanese high-tech company’s network, compromising 77 million user information. The resulting network outage cost the company US$171 million and the CEO’s job.
The looming threats posed by these cybersecurity incidents should alert CEOs that there is no silver bullet and there is never a point where you are “done” securing the network and data.
Earlier, Edward Joseph Snowden made his name by revealing top-secret documents on US National Security Agency’s (NSA) spying operations on domestic and foreign internet traffic, e-mails and phone conversations. According to him, more than 75 percent of the computers from China and Hong Kong had been hacked by the NSA since 2009.
Sadly, many Hong Kong organizations are still unaware of the importance of cybersecurity. Even after Snowden’s revelations, very few of them have bothered to reassess their cybersecurity levels and remedy the relating security loopholes. While some of the MNCs are seen to take this issue seriously and start to seek professional help, most of the local and Chinese enterprises are still not taking any action.
What is constraining these enterprises from putting more effort into improving and refining their cybersecurity?
According to a 2013 global security research by Deloitte, 49 percent of the respondents attribute this to a lack of budget and resources, 37 percent of them blame the increasingly cunning attacks from hackers and the rapidly developing technology, while 28 percent cite insufficient support from management and at the operational level as the main reason.
These figures indicate that organizations mostly invest in information technology to increase revenues, so they would rather invest in IT assets such as business intelligence tools that expand sales than investing in IT security that does not bring any returns. This widening gap between investment in cybersecurity and the looming cybersecurity risks has intensified threats to organizations.
Now that Snowden’s revelations have alerted the entire world to pressing cybersecurity threats, organizations can no longer burrow their heads under the sand to hide from the ever-present danger. Waiting to fix the problem only when one occurs is absolutely unacceptable. It is high time that all organizations come to the realization that a more proactive, suitable and operational security environment should be built.
Earlier this year, Deloitte’s global financial institutional security study shows that one third of organizations have experienced security breaches coming from the inside, while one fourth of them have seen such cases caused by external threats. Hence, although outside sources like hackers do pose an imminent threat, the biggest risk lies with internal security.
Fighting cybersecurity threats should be the mission of both enterprises and the government. Just as a lot of people take regular medical checkups and thus are able to receive timely treatments, organizations also need regular cybersecurity inspections to avoid hazards that might potentially cripple the business.
How are these inspections conducted? For one, enterprises can conduct in-house external leakage and internal network threat examinations or hire professional consultants to do so, in the interest of enabling the management team to have an in-depth understanding of the current and future cybersecurity situation. For another, enterprises could lower their vulnerability to cyber risks through training on security awareness enhancement in order to reach a higher standard of cybersecurity.
Simultaneously, the government should play a more significant role in supervising cybersecurity of organizations. Currently in Hong Kong, only the Hong Kong Monetary Authority has cybersecurity requirements for financial institutions. Organizations other than financial institutions do not have to meet any specific cybersecurity standards at all.
But in other countries, European and US governments are all planning to strengthen related supervision. For instance, the US Securities and Exchange Commission requires listed firms to follow a set of cybersecurity instructions. Hong Kong government should learn from the experience of other jurisdictions.
The writer is a partner at Deloitte.
– Contact us at [email protected]