According to a study by CSIS and McAfee, the global cost of cybercrime has now reached as much as $600 billion – about 0.8 percent of global GDP. The same study indicates that on a daily basis, there are 80 billion malicious scans; 300,000 new malwares; 33,000 phishing attempts; and 780,000 records lost to hacking.
Cyberhackers attacked Yahoo and obtained names, dates of birth, email addresses, passwords, and security questions and answers for all 3 billion Yahoo user accounts, costing the company $350 million, CEO Marissa Mayer her annual bonus and its general counsel his job. Hackers attacked Target and collected 40 million credit and debit card numbers and an additional 70 million names, addresses, email addresses and telephone numbers, resulting in the resignation of the CEO and CIO and costing $202 million (even with a cybersecurity insurance policy). Cyber-criminals stole the credit card data of 40 million Home Depot customers and email information for another 52 million customers, forcing Home Depot to pay $161 million in pre-tax expenses for the breach.
Despite these highly publicized cyberattacks, recent surveys show that confusion still exists within the C-suite regarding what constitutes a cyber risk and what they need to do to prevent the risk. Other surveys have shown that in terms of cyber practice, the C-suite constitutes a significant threat. How, then, do we convince a busy group of highly educated and highly compensated people that the threat is real and that they are a priority target of hackers? The answer is war gaming: placing a corporate team under considerable pressure in order to give life to the cyber threats and processes that exist within the business. This activity can build awareness, confidence and competence.
Without question, the C-suite represents the biggest threat to a business’ cybersecurity. Business planning, finance, confidential data – executives have it all, and as a result, they have a large bullseye on their backs. After all, the hacking of Hilary Clinton’s presidential election campaign was a result of an email sent to the chairman of her campaign, a successful phishing attack that allowed the hacker to obtain the password.
What is surprising is that even after that election, and all the recent corporate cyberattacks, the C-suite’s overconfidence gives cybercriminals a great opportunity and companies a real problem: a target that is uneducated, unprotected and vulnerable. Yet a recent study by the Ponemon Institute found that 29 percent of CEOs and CFOs are exempt from cybersecurity training.
War gaming strips the C-suite back to basics as in a tight period of time during which they must prepare a response to a series of evolving, intense and realistic threats. While the business’ cyber specialists remain on hand to offer advice, the onus is on the C-suite to make the final call. No one in the C-suite wants to be the person who has to sit in front of a camera and explain to the media why parts of the business have closed down, why the brand is suffering and why the share value has dropped. Executives have to feel the possible pain of inaccurate decisions.
The benefit of this approach is that it can result in a fundamental mindshift. Cybersecurity is no longer perceived as a tax but an essential enabler for sustaining and growing the business, lifting cybersecurity from the basement to the top table. Most importantly, war gaming equips the C-suite to lead the battle now, when the enemy is at its gate.