An email embedded with malware. Security systems hacked by thieves. Credit card numbers stolen from store purchases. There’s certainly no shortage of examples when it comes to data security breaches and the havoc they wreak on business. And as technology continues to create innovative ways for organizations to connect with customers, the bad actors are innovating as well.

Innovation almost always runs ahead of security. One of the most innovative places in the world is the dark net, which supports organized crime as well as basement hackers. Everyday there are new tools, new attack services and cash-out strategies being developed and shared. Everything is changing: the compromise points, the risks, and the consequences.

So, it’s no wonder that 86 percent of 1,200 chief executives from many of the world’s largest and most complex companies surveyed by KPMG International are concerned about customer loyalty. Cyber security is closely tied to customer loyalty and trust as well as innovation. A breach can seriously undermine consumer confidence and damage brand reputation.

One of the biggest mistakes an organization can make is regarding cyber security as something that is purely the domain of the chief information officer. “The CIO has a very important role, but as more businesses use digital as their route to the customer, they are not always engaging with cyber security experts,” says Malcolm Marshall, Global Head of Cyber Security at KPMG.

Many senior executives don’t appreciate the level of technology that is embedded in their products, says Marshall. Nor have many C-suite executives thought through the creatively devious ways that cyber criminals might exploit their products or services. Cyber crime is not as well understood as conventional crime. Ultimately, it’s a question of product integrity and reputation, and that is a board-level concern.

An enterprise-wide risk

Nearly a third of the CEOs surveyed see cyber security as the issue having the biggest impact on their companies today. One out of five indicated that information security is the risk of greatest concern, while operational and compliance risks were listed as the top risks. But cyber risk, if uncontrolled, becomes an operational and regulatory issue very fast.

“Among public breaches the issue then becomes: I can’t focus on my operations because I’m distracted by a cyber event,” says Greg Bell, Cyber Security Leader for KPMG in the U.S. “Or, I have to stop part of my operations while I try to redress or remediate the cyber issue, and then I’m dealt with a number of complicated regulatory impacts and lawsuits.”

Many organizations already have a framework for assessing enterprise risk, yet cyber risk is still treated differently than other risks. And that is a mistake. Every organization should have a framework for analyzing cyber security, and ideally it should be integrated into an organization’s existing enterprise risk framework. The key is making it part of the mainstream of risk management within an organization.

“The root cause is a failure of imagination. A failure to imagine the sophistication and persistence of their attackers.”

Malcolm Marshall, Global Head of Cyber Security at KPMG

Are you ready?

Half of the CEOs in KPMG’s survey say they are fully prepared for a future cyber event. Yet, results revealed that only half of CEOs had appointed a cyber security executive or team, and less than half had changed internal processes, such as data-sharing. More surprising was that only a third of organizations reported changes to external processes, such as data sharing or transaction processing.

There was also a wide geographic disparity in the data on preparedness. In the U.S., 87 percent of CEOs say their companies are fully prepared on the cyber front, but in Europe, less than a third (31 percent) say that, and the number in the Asia Pacific region was only 32 percent.

Investing in the right people and the right tools will help.

But there is no such thing as complete security coverage. Organizations need to develop a proactive and predictive approach to cyber security instead of relying too heavily on reactive technologies such as firewalls and other intrusion-prevention tools. Constantly testing for weak spots is one way to stay ahead of bad actors. Understanding the threat landscape and getting to know your enemy through security intelligence is another. What you can’t prevent, you should try to detect. And what you can’t detect, you should be prepared to respond to quickly.

The most innovative companies have recognized that cyber security is a customer experience and revenue opportunity, not just a risk that needs to be managed. They are finding ways to turn cyber-preparedness into a competitive advantage rather than a cost, building security into new products and services at the design stage and treating cyber security as more than an IT issue: It must work across the entire organization and the ecosystem.

The bottom line? Every company is now a cyber security company, and every company needs to keep a vigilant eye on security.

The four golden rules of cyber security

  1. Get the basics right.
    More than 75 percent of attacks exploit the failure to put in place basic controls.
  2. Look after your crown jewels.
    You must prioritize where you spend your money to defend yourself, so build a fortress around your most critical assets.
  3. Treat cyber risk as an opportunity to look closely at your business.
    Security and resilience can affect nearly every part of an organization. Strategies to protect IT security and business resiliency should align with an organization’s broader goals, from protecting intellectual property to maximizing productivity to finding new ways to delight customers.
  4. Do your homework on your enemies.
    Invest in understanding who might attack you—as well as why and how— so you can anticipate the most likely scenarios and defend the assets most likely to get attacked.

Read the full report: Cyber Security: a failure of imagination by CEOs