Earlier this month, the United Nations (U.N.) released its latest Global Assessment Report on Disaster Risk Reduction (GAR2022). For those of us who assess risk for a living, it is a sobering read. According to the report, “at no other point in modern history has humankind faced such an array of familiar and unfamiliar risks and hazards.” With the emergence of new risks continually outpacing efforts to prevent or mitigate them, the frequency of disasters—both natural and man-made, environmental and technological—is all but certain to increase in the near term.
Despite clear evidence of increasing risks, the prevailing public perception is “one of optimism, underestimation, and invincibility,” according to the report. Whether it’s skepticism about the evidence or naive assumptions that disasters only happen to other people, the gulf between objective reality and public opinion prevents decision-makers from more effectively preparing for and responding to disasters.
As Kroll’s Cyber Risk team helps companies secure their data and thwart cyberattacks, we often observe similar gaps between evidence and perceptions. These disconnects arise for several reasons.
Dealing With “Invisible” Threats
Virtually all companies are at risk for cyberattacks, whether they come in the form of ransomware, compromised email accounts, malware resulting in the exposure of sensitive data, a zero-day exploit of a previously unknown vulnerability of an embedded open-source element of a system that you didn’t even know you were running or numerous other hacks and intrusions. No industry is immune. No company is out of bounds.
These days, most companies acknowledge this reality and will nominally declare that protection of their data systems is a top priority. Many will also take some initial steps to protect themselves. But, in many cases, managers view cyber security protocols as a box-checking exercise so they can tell auditors, investors and board members that they have handled issue. Others opt to invest more in cyber insurance, hoping and praying it will be enough to cover their losses if they are ever attacked.
To some degree, this is understandable.
Unless they have suffered an attack, most companies see cyber security as an invisible problem. Spending time and resources to properly back up data to mitigate a potential ransomware attack isn’t glamorous. Money spent on network monitoring to allow for early detection and timely responses to security events will do little to raise a business’s profile or attract customers. In fact, if cyber security measures work properly, they may never be obvious to anyone outside the company.
This lack of external visibility leads some companies to underestimate the importance of cyber security and prioritize alternative, less important investments. Not surprisingly, many of these same businesses will end up dealing with much greater costs as they manage the impact of a preventable cyberattack.
Other People’s Problems
In other cases, a company’s decision-makers may understand the importance of cyber security but will still put off securing their systems because they do not believe hackers will target them. At Kroll, we’ve heard hacking victims tell us they shouldn’t have been targeted because they were a small business or they operated in a rural area. Of course, no one should be targeted, but that is beside the point. Everyone is at risk, and anyone who tells themselves they are not at risk is wrong.
For example, the recent log4j vulnerability issue arose from an open-source component used in many systems where owners were entirely unaware of its presence. Hackers didn’t single out individual companies and systems to check for the bug. They developed automated tools and scripts to scan the internet and immediately exploit any system containing the log4j vulnerability. Such indiscriminate attacks tend to be the norm whenever a common data system weakness is discovered.
Cultures of Risk and Risk Aversion
Cyber security is a global problem, and cultural differences—between both countries and companies—can create some unique misperceptions. Broadly speaking, some cultures are more risk averse than others. Some are more likely to defer to authority—from government or elsewhere—to find and implement solutions.
At the same time, individual companies may be more or less risk averse based on their industry or corporate culture. For example, a startup trading firm may view risk-taking as an essential part of its business model and unconsciously extend that view to its internal operations, including cyber security. In contrast, an organization with a large established bureaucracy—such as a hospital—might inherently prioritize risk mitigation in all aspects of its business.
Once again, cybercriminals do not factor in cultural differences when picking targets. So, they shouldn’t dictate what steps a company takes to shore up its systems and eliminate vulnerabilities.
Why Boards Get Cyber Security Wrong
Most corporate boards are skilled in dealing with industry-specific concerns, navigating financial pitfalls or identifying potential acquisition targets. Experience and expertise in cyber security is rarely considered an essential element of a board member’s resume. As a result, even an otherwise successful board can fail to properly weigh the costs and benefits of cyber security investments. Far too often, boards prioritize other projects with higher visibility.
The SEC recognizes importance of cyber security to our economy. The Office of Compliance Inspections and Examinations recently wrote:
"As markets, market participants, and their vendors have increasingly relied on technology, including digital connections and systems, cyber security risk management has become essential. Indeed, in an environment in which cyber threat actors are becoming more aggressive and sophisticated—and in some cases are backed by substantial resources including from nation state actors—firms participating in the securities markets, market infrastructure providers and vendors should all appropriately monitor, assess and manage their cyber security risk profiles, including their operational resiliency."
The SEC is also reviewing a proposal to require companies under its jurisdiction to disclose any cyber security experience among board members. While few directors will have any experience to disclose, the proposal is a strong indication the SEC is looking for ways to better align the perceptions of corporate decision-makers with the reality of the threats their companies face.
Many companies would likely find it difficult to always have a cyber security expert serving as a director, but, in our experience, boards make better decisions when they have continual and direct access to cyber security expertise. If a company has no directors with such expertise, it should empower an officer or consultant to oversee data security efforts independent of the company staff and with direct access to the board.
Bridging the Reality-Perception Gap in Cyber Security
As the U.N. report noted, “A range of cognitive, behavioral and sociocultural factors come into play when considering disaster risk, yet risk perception is a crucial factor in how people prepare, reduce and respond to hazards.” Risk perception is, by definition, subjective, which means changing it—even in the presence of overwhelming objective evidence—can be extremely difficult. A number of studies suggest firsthand experience plays a significant role in shaping risk perception. Simply put, people who experience a particular type of crisis tend to be far more risk averse to avoid similar crises in the future.
If a company hasn’t experienced a cyber incident, its leaders may have difficulty fully appreciating the risks. Data and statistics can seem abstract or esoteric, and case studies often reinforce the perception that cyberattacks only happen to others. So-called “unicorn” companies that achieve billion-dollar valuation in incredibly short times may be so focused on whatever is driving their valuation that they downplay mundane issues like cyber security in their quest for economic growth. Obviously, we can’t wait around for companies to suffer through cyberattacks before trying to change their risk perceptions. Fortunately, there are more feasible alternatives.
One way to help businesses better understand cyber security risks is a crisis management exercise, where conditions of a specific crisis are simulated in real time. These exercises can help board members and other decision-makers better understand how events might unfold and see the value of taking preventive steps.
The experts on Kroll’s Cyber Risk team have led hundreds of cyber security incident tabletop exercises for a wide array of clients. We follow a seven-step process to develop and implement a company-specific simulation to help clients identify the strengths and weaknesses of their existing cyber security protocols and response plans. Some companies come away from these exercises with greater confidence in their security measures and response plans. For other companies, the simulations are an eye-opener for managers and board members who may not have fully understood the risks associated with cyber security.
Thanks to a constant stream of news reports about cyber intrusions, data exposure and other hacking incidents, more companies are focused on cyber security now than ever before. However, while efforts to mitigate these types of risks have expanded significantly in recent years, the number of threats has grown exponentially faster.
Companies that continually lag behind the cyber security curve often do so by choice. In many cases, they understand the emerging cyber security threats. Yet, for a variety of reasons, managers of these companies believe they are safe, even if everyone else seems to be at risk. Correcting these false risk perceptions is more than just a matter of raising awareness or delivering better, more objective evidence to corporate decision makers. Indeed, it’s hard to imagine an environment where public discussion of cyber security threats and hazards could be more ubiquitous.
Firsthand experience is one effective means of changing risk perceptions. But, with cyber security, the primary objective is helping companies avoid those kinds of experiences. Ultimately, we need solutions that are customized to individual companies to address their unique, subjective concerns. The closer we can get to approximating firsthand experience—whether it’s through crisis management and tabletop simulations or some other approach—the more effective our efforts will be.