Here is an excerpt from an article written last year by Jim Boehm, James Kaplan, and Wolf Richter for the McKinsey Quarterly, published by McKinsey & Company. To read the complete article, check out others, learn more about the firm, and sign up for email alerts, please click here.
* * *
Digitization increases the risk of cyberattack, and this is exacerbated by the COVID-19 pandemic
75 percent of experts, across many industries, consider cyberrisk to be a top concern.
All industries face greater exposure to cyberthreats due to increasing digitization. For example, in the airline industry, digital innovation across the value chain—combined with the sheer volume of customer data airlines possess—has made them a hot target for cybercriminals. Various cyberincidents have demonstrated the need for airlines to upgrade IT and operational technology systems to reduce risk and build resiliency into their heavily digitized operating models. In 2019, the United Kingdom imposed a $230 million fine on a European airline for a breach caused by security vulnerabilities in its website. And in 2018, hackers penetrated unpatched servers and access controls of an Asian airline to steal the personal data of 9.4 million customers.
Additionally, more airlines are moving to the public cloud, for example, to harness data analytics and optimize customer experience and operations. As airlines integrate a wider array of ecosystems—such as those facilitated by the International Air Transport Association New Distribution Capability Standard—to personalize their offerings further and exchange more granular information with partners, they may have less control over the security environment and become more prone to digital attacks.
Exhibit 1 shows a snapshot of recent, publicly reported IT and cyberincidents in the airline industry.
According to Identity Theft Resource Center statistics for the United States, despite a recent decline in the total number of data breaches to about 1.2 billion, the number of records exposed has grown by about 15 percent a year since 2005 to more than 447 million in 2018 (Exhibit 2).
Given the industry’s low margins, airlines also continuously look for cost-cutting opportunities, including in IT. Many try to optimize vendor contracts for unit costs rather than acquire the agility or innovation required to evaluate new business concepts and respond quickly to new threats or opportunities.
The response to COVID-19 has increased cyberrisk
Physical distancing means many workers are staying home and making greater use of videoconferencing services, collaboration platforms, and other digital tools to do business. In their free time, they are also going online more frequently to shop, read, chat, play, and stream. All these behaviors put immense stress on cybersecurity controls and operations. Several major vulnerabilities stand out:
First, a broad shift toward work-from-home arrangements has amplified long-standing cybersecurity challenges and opened multiple vectors for cyberattacks (Exhibit 3). Second, social-engineering ploys—to gain information, money, or access to protected systems—are on the rise, such as attackers posing as help-desk teams, health workers, or investors in virus-related response activities. Finally, cyberattackers are using websites with weak security to deliver malware, in some instances using domains and websites created to spread information and resources to combat COVID-19.
As the COVID-19 outbreak progresses and alters the functioning of our socioeconomic systems, cyberattackers will continue their efforts to exploit our fears and our digital vulnerabilities. To remain vigilant and effective, CISOs will need new tactics, particularly in two areas: securing work-from-home arrangements at scale; and supporting high levels of consumer-facing network traffic.
How leaders can manage cyberrisk
Given the gravity, complexity, and growing number of risks that businesses face, executives need ways to set priorities and sequence their cybersecurity and digitization investments. Based on our experience in serving leaders in industries from consumer lending to national defense, we recommend that senior teams step back and consider their overall situations from a business perspective. Digitization requires a powerful, reliable backbone that has security and resilience built in. Managing cyberrisk requires focus in four main areas: assessing vulnerabilities with a quantitative risk analysis; reviewing cloud architecture and security capabilities; muscling up incident response and recovery capabilities; and prioritizing a cybersecurity budget, including building a skilled talent pool and optimizing resources through automation.
Assess your vulnerabilities by performing a detailed quantitative risk analysis
Cybersecurity should be central to every strategic decision and an essential component of every IT product in the organization. Cybersecurity initiatives should be prioritized based on business-risk scenarios. By looking across the business through a cybersecurity lens, companies can transform their decision making and make wiser investments based on risk. Reviewing potential attack vectors from a risk perspective and evaluating the effectiveness of current cybersecurity activities could help identify areas that put the company at risk but are not yet covered by existing cyberactivities.
We recommend that cybersecurity leaders assess their organization’s current vulnerability through a quantitative risk analysis including patch management practices; and build metrics and a dashboard to report regularly on the identified vulnerabilities and patch releases to the CISO.
Review cloud architecture and security capabilities
A company should build an IT architecture and operating model that best supports its growth, digitization, and business model. In reviewing cloud architecture, it is important to first understand what data you are putting in the cloud now and to minimize the presence of sensitive information there. CISOs should also implement a holistic cloud security strategy—emphasizing access management, threat monitoring, and incident response. Additionally, it is advisable to conduct regular penetration and vulnerability testing and audit reviews to ensure your cloud environment is secure.
* * *
Here is a direct link to the complete article.
Jim Boehm is a partner in McKinsey’s Washington, DC, office, James Kaplan is a partner in the New York office, and Wolf Richter is a partner in the Berlin office.
The authors wish to thank Amine Aït-Si-Selmi, Marion Castel, and Mathilde Castet for their contributions to this article.