Board guidance for cybersecurity in a down economy
November 18, 2022
Despite forecasting, cyber risk can come from anywhere, often far outside the control and oversight of an enterprise.
In recent times, we’ve seen what a risky business cybersecurity can be. COVID-19 increased cyber-risk exposure for many organizations as a result of the rush to transition to working from home. The conflict in Ukraine then raised many organizations’ cyber risk profiles further. Now, economic conditions, including the threat of an economic slowdown or recession, are uniquely impacting cyber risk.
In each of these situations, cybersecurity teams and the policies and procedures they implement have had to adapt the cybersecurity control environment to a rapidly changing cyber-risk environment. In particular, economic forces introduce impacts on cyber risk and cybersecurity that are unique.
As economic uncertainty continues, and some private companies find themselves in a lesser financial position to invest in cybersecurity programs than public company peers, boards should bear in mind that the threat landscape shifts as insider threats rise. They should consider, too, that spending cuts in the wrong areas of cybersecurity can weaken cyber controls and increase risk disproportionately. Finally, systemic risk can increase unexpectedly from unknown control changes throughout a highly connected digital business system.
So, what kind of measures should business leaders and boards put in place when economic uncertainty hits?
During periods of economic uncertainty, employees and other connected individuals are both well-placed to control systemic cyber risk and a prime target for cyberattackers who double down on exploiting human weaknesses. Strengthening related cyber controls, such as through employee cyber training, behavior analysis, and monitoring, might be an important step toward reducing this rise in insider risk.
Every organization wants to protect the business value that is directly and indirectly derived from its digital business system. But as the amount of business value that is dependent upon the digital business system grows, corporate boards need to understand how external threats impact the risk to that value and assess whether their cyber controls are effectively aligned.
The economic concept of diminishing returns suggests that returns decrease with ongoing investments. It’s a general principle that is also true from a cybersecurity perspective, though not always. Generally, the level of returns from initial cyber-risk controls are higher than the returns from subsequent investments. This principle also reflects the reality that no business can be 100 percent secure from cyber risk.
However, this rule doesn’t apply when cyber risk is not static, such as in the rise of insider threats during times of economic disruption. Strengthening cyber controls where risks are rising could warrant an increase in cybersecurity spending and deliver increased returns (that is, better security) to the entire system by significantly lowering risk from this new threat vector.
Spending cuts in cybersecurity need to be carefully considered to avoid weakening the wrong cyber controls as risks could rise disproportionately. Instead, consider several strategic and tactical opportunities in cybersecurity spending during periods of economic turmoil, such as the following:
It is important to remember that cybersecurity controls and procedures are part of a larger, complex system working to defend the business value that is dependent on the digital business system. Budget impacts on one part of the system can have implications throughout a highly connected digital business system, as external or third-party partners adjust their cybersecurity controls environment. This can inadvertently create additional risks that creative attackers could exploit with significant systemic impact across a connected ecosystem.
Cybersecurity budgets fund a wide range of controls that work together systemically to protect the organization. This presents boards and organizations with a challenge when economic conditions require budget freezes, reallocations, or reductions.
Budgets in cybersecurity encompass the system of technical, physical, and administrative controls that the organization has implemented to reduce its cyber-risk profile. The board's approach to cybersecurity governance is also a part of every organization's cybersecurity control system. Directors need to remember that every organization is largely self-insured for the vast majority of economic loss that could occur from a cyber incident. The organization’s cybersecurity budget represents its self-insured “cyber insurance premium” that establishes and maintains controls that reduce its cyber risk exposure.
Just as reducing third-party cyber insurance premiums results in lower coverage levels from the cyber insurance carrier, cybersecurity budget cuts, or reductions in an organization's self-insured “cyber insurance premium,” that is, the cybersecurity budget, can impact cybersecurity control procedures that can change the organization's overall cybersecurity posture and level of controlled risk.
To handle cybersecurity in times of economic crises, business leaders and boards can do the following:
Unintended cybersecurity consequences can occur if cybersecurity budgets are not strategically and tactically adjusted in a dynamic risk environment. Fortunately, cyber-savvy boards, together with their information security teams, can be empowered to deal with them by considering the suggestions above.
Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Technology and Operations services and Accenture Song — all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 721,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at www.accenture.com.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter, LinkedIn or visit us at accenture.com/security.