The report, Risk and Responsibility in a Hyperconnected World, which was done in conjunction with McKinsey & Company, addresses options that institutions can take to improve cyber resilience and mitigate the economic and strategic impact of such attacks. With the recent proliferation of cyberattacks, corporate executives need to devote increasing attention to protecting information assets and on-line operations, the report says. The report is the result of a global, multi-industry, multistakholder effort carried out via series of workshops with more than 300 top global executives, government, civil society and experts.
“The common notion of security implies isolation, the protection of a defined perimeter or an objective defined by the prevention of an event,” the report says. “This notion of security seems quaint in a world where it is impossible to draw a clean ring around the network of one country or one company, and where large organizations can be the target of 10,000 cyberattacks per day.”
Major technology trends, including big data and cloud computing, could add between $9.6 trillion and $21.6 trillion to the world economy by 2020, the report says. However, if the level of cyberattacks continues to increase in its sophistication, outstripping defensive efforts by governments and businesses, a wave of new regulations and corporate policies could slow innovation and trim $3 trillion from those estimates.
“Developing resilience to cyber risks in our economic and social systems is not a question of simply building walls for security,” Alan Marcus, Senior Director and Head of Information Technology and Telecommunications Industries at the World Economic Forum USA said in a statement. “There are trade-offs to be made with other goals we wish to value, such as privacy, growth, innovation, and the free flow of goods and data. But to make good decisions, we need better data.”
To protect against the strategic and economic effects of such costly attacks, the report outlines ways to build awareness, understanding and action with top public and private sector leaders. It also assesses the economic impact of concerns around cyber risks and proposes a global framework aimed at coordinating collaboration and provides a capabilities based-roadmap for businesses and governments.
The report issues this stark assessment of the current state of cyber-awareness:
As the risk of cyberattacks is becoming more prevalent, the cost of the attacks – to companies, public institutions, the global economy and society at large – is also growing. This is the clear message that emerged from research assembled over the past year. To foster technology innovation, and continue to reap value from it, a robust cyber resilience ecosystem is required across sectors and institutions. To deter malevolent attackers, companies will have to abandon their current fragmented cyber resilience defences built around reactive “audit” and “compliance” models. Today’s increasingly digital age needs a step-change in cyberattack response – cyber resilience models that are characterized by a business-driven, risk-management approach.
Nations need to develop a “comprehensive and transparent cyber strategy that is integrated and harmonized with the strategies and procedures across all domestic and international policy,” the report says. That needs to be a public/private effort that focuses on incentives driven by the government. In order for this coordination to take place, the report recommends that a single institution take on the responsibility for shepherding any national cyber policy.
“Cyberattacks have the potential to change the nature of warfare and international relations, almost past the level of the Cold War,” the CIO of a European aerospace and defence company, told the report’s authors. Because cyber events could carry such grave circumstances for a stable geopolitical environment, “countries should establish a national cyber doctrine to define and express their positions on the use of cyber resilience tools and weapons for national purposes,” the report says. “A primary concern voiced by several institutions is the often-stark differences in [cyber] requirements for different nations. This challenge can drastically affect the growth of international and local businesses,” the report says.
“There needs to be a fundamental change in the way we protect ourselves from cyber attacks. Check-the-box compliance-based approaches simply don’t work anymore,” James Kaplan, a Partner at McKinsey & Company, said in a statement. “Companies and public institutions need to build cybersecurity capabilities that are scalable, deeply integrated into the broader IT environment and focused on addressing the more important business risks.”