As data becomes more critical in supporting business units and functions — and as cyberthreats grow — the responsibility for keeping that data safe must expand beyond IT.

It’s hard to imagine a more challenging year than 2020 for data security. The pandemic meant that millions of employees worldwide were suddenly working from home. More severe cyberthreats — some from highly sophisticated state actors — threatened company databases. And at a regional level, natural disasters disrupted operations and supply chains.

To gauge how organizations responded to this perfect storm of cyberthreats, we interviewed 57 technology leaders during the second half of 2020, including CIOs, chief information security officers, chief data officers (CDOs), and other business leaders in public- and private-sector organizations. The key insight from that research is that cyber resilience — the ability to withstand unanticipated disruption — is no longer exclusively the responsibility of IT functions. Rather, as data becomes more pervasive across company operations and functions in improving business performance, organizations need a comprehensive approach to cyber resilience. Specifically, they need a clear plan for how to manage all aspects of data and cross-functional responsibilities for keeping that data safe.

Disruptions Continue to Grow

Most organizations were unprepared for the pandemic and the resulting shift from physical offices to working from home. Companies allowed business and function leaders to make piecemeal, ad hoc arrangements to suit the needs of their teams. As a result, IT and security teams often did not know which devices were being used by employees, the applications that were on those devices, whether they had appropriate security patches, the security of Wi-Fi connections, or the prevalence of other connected devices, such as gaming consoles and smart home devices.

The resulting free-for-all — implemented for the sake of continuing business operations — led to an exponential increase in cyber risk. Cyberattacks rose 400% in 2020 compared with previous years, primarily due to nefarious players exploiting ill-secured virtual work environments and IT infrastructures that had been adapted on the fly.1 On average, these attacks cost businesses hundreds of thousands of dollars to address (but often far more) and are a factor in many small and medium-sized enterprises going out of business.2 Even with U.S. company losses due to cyberattacks nearing a reported $1 trillion by late 2020, a survey of nearly 1,000 organizations found that only 44% had cyber preparedness and incident response plans in place.

About the Authors Chon Abraham is an associate professor of information systems at the College of William & Mary’s Raymond A. Mason School of Business and a military reserve cyber officer who teaches and researches cyber resilience and governance topics. Ronald R. Sims, the Floyd Dewey Gottwald Sr. Professor of Business Administration at the Raymond A. Mason School of Business, teaches organizational behavior topics, including human resource management relative to cybersecurity and information security.

