Cyberattacks are an increasingly common and worrisome threat. To combat the risk, companies need to understand both hackers’ tactics and their mindsets.
If you have any doubts about the need for a new corporate cybersecurity mindset, the daily news contains plenty of sobering evidence. Recently, Yahoo Inc., which was in the midst of a planned transaction to sell its core businesses to Verizon, disclosed that it had been the target of two of the biggest data breaches ever, with sensitive information stolen involving more than 1 billion user accounts in 2013 and 500 million in 2014.1 In addition to highlighting Yahoo’s cybersecurity vulnerability, the attacks have resulted both in a delay in the planned acquisition by Verizon and in a probe by the U.S. Securities and Exchange Commission about the disclosure of the breaches.2 The incident raises broad questions about how cyberthreats affect mergers and acquisitions deals, and it could have an impact on disclosure guidelines and regulations.
In the past several years, the list of companies whose internal systems have been hacked has grown rapidly. In addition to hundreds of small and medium-size companies, it now includes such high-profile businesses as Target, JPMorgan Chase, Home Depot, Sony Pictures, Ashley Madison, and Yahoo. In many cases, cybersecurity breaches go on for weeks or months before they’re discovered. Cybersecurity breach response times can be a crucial factor in the data breach scale, its mitigation, the determination of its source, and also future legal issues involving the disclosure period. Not only have the attacks in the past few years been costly for the companies, but they also shake the confidence of customers, shareholders, and employees. And no industry appears to be safe from attacks, regardless of the specific measures individual companies use to defend themselves.
As a result, spending on cybersecurity is poised to accelerate. Gartner Inc., the information technology (IT) research and advisory firm, has estimated that global spending on information security would reach $81 billion in 2016 and may grow to $101 billion by 2018, with the highest growth in security testing.3 Unfortunately, investment in security measures is only part of the answer; traditional methodologies can only do so much. To be effective, executives in charge of cybersecurity need to adjust their mindsets and become as open and adaptive as possible.