In an article they co-authored, David Chinn, James Kaplan, and Allen Weinberg discuss a new report from the World Economic Forum and McKinsey & Company that suggests, for the world’s economy to get full value from technological innovation, it must have a robust, coordinated approach to cybersecurity. They suggest how that could happen. To read the complete article, check out others, obtain information about the firm, and register to receive email alerts, please click here.

To learn more about the McKinsey Quarterly, please click here.

* * *

When “everything is becoming digital,” private, public, and civil institutions become more dependent on information systems and more vulnerable to attack by sophisticated cybercriminals, political “hacktivists,” nation-states, and even their own employees. As a result, all of our institutions will have to make increasingly thoughtful trade-offs between the value inherent in a hyperconnected world and the risk of operational disruption, intellectual property loss, public embarrassment, and fraud that cyberattacks create.

Over the past year, McKinsey and the World Economic Forum undertook joint research to develop a fact-based view of cyberrisks, assess their economic and strategic implications, and lay out a path forward. Interviews with executives and data from more than 200 enterprises, technology vendors, and public agencies contributed to the three main findings for enterprises:

o Despite years of effort, and tens of billions of dollars spent annually, the global economy is still not sufficiently protected against cyberattacks—and it is getting worse. The risk of cyberattacks could materially slow the pace of technology and business innovation with as much as $3 trillion in aggregate impact.

o Enterprise-technology executives agree on the seven practices they must put in place to improve their resilience in the face of cyberattacks; even so, most technology executives gave their institutions low scores in making the required changes.

o Given the cross-functional, high-stakes nature of cybersecurity, it is a CEO-level issue, and progress toward cyberresiliency can only be achieved with active engagement from the senior leaders of public and private institutions.

A critical social and business issue

The theft of information assets and the intentional disruption of online processes are the most important technology risks that major institutions face. Nearly two-thirds of companies across sectors and regions described the risk of cyberattack as a “significant issue that could have major strategic implications.”

The defenders are losing ground to the attackers. Nearly 80 percent of technology executives said that they cannot keep up with attackers’ increasing sophistication. Many frontline practitioners said they are seeing the dissemination of sophisticated attack strategies from major nation-states to a broader array of criminals and hacktivists who have much more destructive ambitions.

Large institutions lack the facts and processes to make effective decisions about cybersecurity. Of the more than 60 institutions whose practices we surveyed in detail, 34 percent had a “nascent” level of maturity and another 60 percent were “developing.” Larger expenditures have not translated into an increased maturity, and many institutions appear to be throwing money at the problem.

Controls required to protect against cyberattacks are already having a negative business impact. For example, security concerns are delaying mobile functionality in enterprises by an average of six months—and are dramatically limiting the extent to which many companies are using public-cloud services. For nearly three-quarters of companies, security controls reduce frontline productivity by slowing employees’ ability to share information. And even though direct cybersecurity spend is small, it can have a much larger indirect-cost impact on the IT organization. Some chief information officers said that security requirements could drive as much as 20 to 30 percent of their overall activity.

There are multiple scenarios for how the cybersecurity environment could evolve over the next five to seven years. However, if attackers continue to get better more quickly than defenders, this could result in a world where a “cyberbacklash” decelerates digitization. In this scenario, a relatively small number of destructive attacks reduces trust in the economy, causing governments to impose new regulations and institutions to slow down the pace of technology innovation. As a result, the world would capture less of the $10 trillion to $20 trillion available from big data, mobility, and other innovations by 2020—the ultimate impact could be as much as $3 trillion in lost productivity and growth.

* * *

Here is a direct link to the complete article.

David Chinn is a director in McKinsey’s London office; James Kaplan is a principal in the New York office, where Allen Weinberg is a director.