Embracing digital transformation at the organizational level creates new and unanticipated risks that can disrupt business and create liability. Cyber risk typically grows much faster than the asset or M&A value of the organization it disrupts. The Internet of Things (IoT) creates persistent risks that companies often do not realize. Corporate information and security teams are now faced with the challenge of thwarting nation-state bad actors who are funded for the purpose of crippling business infrastructure.
Disruptions can include technology failures, extended outages caused by malicious code, supply chain disruptions, and net income loss. The long-term damages may include privacy liability, public relations costs and loss of reputation. There are several notable examples of cyber breaches where human behavior could have prevented significant commercial losses. These include Anthem ($278m in gross impact), The Home Depot ($298m in gross loss), Equifax ($565m in gross impact), Facebook ($500k ICO Fine), Uber ($148.4m in U.S. Attorney General Settlement and French CNIL Fine), the reduced acquisition price of Yahoo! Inc ($350m) plus a Customer Class Action ($117.5m), A.P. Moller – Maersk ($250m in earnings reduction), FedEx ($400m in earnings reduction), Nuance Communications ($68m in sales reduction), Saint-Gobain (EUR220m in sales reduction), Delta’s Data Center Outage ($150m), and the WannaCry malware incident within the UK National Health Service (GBP73m in IT cost plus GBP 19m in lost output). Cyber behavior is the most important ingredient in building a cyber resilient organization; it is also the one that is most overlooked.