Two thirds of Germany’s manufacturers have been hit by cyber-crime attacks, costing industry in Europe’s largest economy some €43 billion, according to a survey published by Bitkom, Germany’s IT sector association, in September.
Small and medium-sized companies, the economy’s backbone, are particularly vulnerable to attacks.
This isn’t simply FUD. It’s a reinforcement of the fact that for companies, cyber risk is ultimately a business risk. German firms in particular are a target for well-resourced nation-state and criminal actors using cyber attacks to steal advanced manufacturing techniques and other intellectual property, as well as being the victims of less sophisticated hacks such as ransomware.
“Illegal knowledge and technology transfer … is a mass phenomenon,” says Thomas Haldenweg, deputy president of the BfV domestic intelligence agency.
And cyber risk in this context goes beyond theft: 19 percent of those polled said that their IT and production systems had been sabotaged digitally, and 11 percent reported tapping of their communications.
The challenge, then, is less the kinds of data privacy and breach issues that have made the headlines, which have serious but limited business impact, and more the prevention of core operational losses and to defend the foundations on which companies are built.
This is where there has often been a disconnect between traditional, siloed cybersecurity operations and companies’ business and financial centres. This disconnect is a two-way street, but it has not been helped by some of the key mantras of cybersecurity which can imply that failure is inevitable and that, no matter how much is spent, a crippling attack is certain: not the message other risk management functions routinely trumpet.
So how can companies build cybersecurity processes that focus on the most important business outcomes? How can cybersecurity integrate with existing risk management infrastructure and in what ways is it similar/different? And how can cyber professionals better understand the P&L impacts of key risks and mitigation techniques in order to better present tactical and strategic options to their boards and the leaders of their business units?