Until recently, financial firms and governments were the primary targets of cyberattacks. Today, with every company hooking up more and more of their business to the Internet, the threat is now universal. Consider the havoc wreaked by three recent events. From 2011 to 2014, energy companies in Canada, Europe, and the United States were attacked by the cyberespionage group Dragonfly. In May 2017, WannaCry ransomware held hostage public and private organizations in telecommunications, healthcare, and logistics. Also in 2017, NotPetya ransomware attacked major European companies in a wide variety of industries. And in 2018, Meltdown and Spectre were exposed as perhaps the biggest cyberthreat of all, showing that vulnerabilities are not just in software but hardware too.
Little wonder, then, that risk managers now consider cyberrisk to be the biggest threat to their business. According to a recent McKinsey survey, 75 percent of experts consider cybersecurity to be a top priority. That’s true even of industries like banking and automotive, which one might think would be preoccupied with other enormous risks that have emerged in recent years. But while awareness is building, so is confusion. Executives are overwhelmed by the challenge. Only 16 percent say their companies are well prepared to deal with cyberrisk. The threat is only getting worse, as growth in most industries depends on new technology, such as artificial intelligence, advanced analytics, and the Internet of Things (IoT), that will bring all kinds of benefits but also expose companies and their customers to new kinds of cyberrisk, arriving in new ways. So what should executives do? Keep calm and carry on? That’s not an option. The threat is too substantial, and the underlying vectors on which they are borne are changing too quickly.