By Eric Lam, Director of Enterprise Cybersecurity Group, Microsoft Asia.
Many business and IT leaders I have spoken to agree that technology is a disruptive force – enabling new business models, opening new sources of revenue and shaping entire industry landscapes. However, one of the biggest challenges in digital transformation is ensuring security, privacy, and compliance. As people bring in devices, apps, and data into organizations, protecting company data requires rethinking.
With traditional IT boundaries disappearing and adversaries finding new targets to attack, organizations face the risk of significant financial loss, damage to customer satisfaction and market reputation – as has been made all too clear by recent high-profile breaches.
The Iceberg Effect of Cyber Attacks
Although business and IT leaders are mostly aware of cyber-risks, what’s interesting is that they often underestimate the business and economic impact of a cyberattack.
I like to use the analogy of an iceberg to describe the economic loss caused due to a cyberattack. Just like the iceberg which sank the mighty Titanic, cyberattacks can be vastly bigger than what most leaders can imagine.
Recently, we partnered with leading IT analyst firm Frost & Sullivan to map the impact of cybersecurity threats for businesses in Asia Pacific. The Study[i], titled “Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World”, examines the financial impact of cybersecurity in this dynamic region.
Read more about this study here.
In this study, Frost & Sullivan has segmented the total economic loss from cybersecurity attacks into three key categories: (See graphic below)
- Direct Loss: Losses directly associated with the cyber breach and its immediate aftermath;
- Indirect Loss: Opportunity costs to the organization, including losses that emanate as a result of trailing responses to the breach; and
- Induced Loss: The amplified negative impacts on the broader ecosystem and economy.
Now, if we go back to the analogy of an iceberg, the ‘tip of the iceberg’ is essentially the ‘Direct Loss’ which has relatively the smallest impact. The truly dangerous parts of the iceberg are hidden under the water line. And these are the ‘Indirect Loss’ and ‘Induced Loss’.
Frost & Sullivan calculated the total economic loss of cyberattacks by factoring in ‘Direct Loss’, ‘Indirect Loss’ and ‘Induced Loss’, combining macro-economic data with responses from business and IT leaders surveyed. The Study revealed that the potential economic loss across Asia Pacific due to security incidents was at US$1.745 trillion in 2017, which is 7% of the region’s total GDP of US$24.33 trillion[ii].
A deeper dive reveals that a large-sized organization in Asia Pacific (more than 500 staff) could incur an average economic loss of US$30 million from cyberattacks while a mid-sized organization in the region (250 to 499 staff) could lose an average of US$96,000.
One of the ‘indirect cost’ impact of cybersecurity attacks is loss of jobs. The Study shows that almost seven in 10 (67%) organizations experience job losses due to cybersecurity incidents. However, the job losses are not just limited to the IT department, its ripple effect can be seen across other business functions as well.
Steering Away from the Icebergs
The survey revealed that organizations are considering delaying Digital Transformation projects due to the fear of cybersecurity breaches. In the current rapidly changing business climate, where new business models and routes to market are created or changed frequently and quickly, Digital Transformation is a key enabler, and the success and competitiveness of organizations depends upon it. Can you really delay it?
To help organizations protect their digital assets in today’s digital economy, I would like to offer three recommendations for consideration by business and IT leaders when designing modern cybersecurity strategies:
- Cybersecurity should be a priority for digital transformation at project planning stage: The Study has shown that cybersecurity risks can hinder the progress of digital transformation projects. It is important for organizations to plan their cyber defense strategy during the planning stages of digital transformation projects, rather than try to patch the gaps post deployment. In short, cybersecurity should not be an afterthought.
- AI can help solve security talent shortage: In a world where there is an acute shortage of cybersecurity talent, Artificial Intelligence (AI) has the potential to help mitigate the shortages by automating processes such as threat detection and remediation, thereby allowing scarce cybersecurity resources to re-focus on higher-level activities. After all, it is about what technology should do and not what it can do.
- Develop a data analytics culture: To harness the potential of AI as the next-generation of defense against cyber threats, organizations should develop a data analytics culture which involves data classification, multifactor authentication, encryption, rights management, machine learning for behavioral analytics and behavioral analytics to spot user anomalies and irregular or suspicious patterns. Data analytics does not just forewarn of impending threats but can also signal an alert in the event of an ongoing hidden security breach.
What I learnt in my years of providing advice to help organizations design cybersecurity solutions to protect their modern enterprises is – there is simply no way you can avoid hitting icebergs in this digital world. What is vital for organizations is to understand that there are real risks present in today’s vast digital ocean, therefore they should integrate security safeguards into their business systems and platforms to help their ship weather attacks, employ vigilante and sharp-eyed lookouts to spot potential icebergs, and have a comprehensive and well-rehearsed plan which in the event they hit an iceberg, allows them to rapidly safeguard the crew and precious digital cargo, and keep the ship afloat and sailing to their business destination.
[i] The Study involved a survey conducted with 1,300 respondents in 13 markets:
- 100 respondents from each of these 13 Asia Pacific markets were involved: Australia, China, Hong Kong, Indonesia, India, Japan, Korea, Malaysia, New Zealand, Philippines, Singapore, Taiwan and Thailand.
- Respondents are business and IT decision makers involved in shaping their organizations’ digital strategy.
- Some 44% are business decision-makers, including CEOs, COOs and Directors; and 56% are IT decision-makers, including CIOs, CISO and IT Directors.
[ii] World Bank’s Asia Pacific GDP information: https://data.worldbank.org/indicator/NY.GDP.MKTP.CD