CXOs are well aware that cyberattacks have consequences, as these consequences make headlines. Some of the consequences are unexpected, but the negative outcomes that follow cyberattacks are largely perceived as operational disturbances that are to be managed similar to a natural disaster, even if the disruption caused by a cyberattack can be worse than disruption from a flood or tornado.
Why Cyberattacks are a C-Suite Challenge
Despite these consequences, the C-suite had a tendency to regard cyberattacks as an IT issue – painful, but not something that could interfere with the strategic objectives of the company. This view, however, is rapidly changing.
Clorox expected net sales to fall by 23% to 28% due to a cyberattack and said the impact from the attack more than offset the benefits of pricing, cost savings, and supply chain optimisation, all of which are strategic initiatives that CXOs are expected to focus on. By extension, we can conclude that the organisation would have achieved better results if the C-suite had prioritised cybersecurity over pricing, cost savings, and supply chain optimisation.
The impact of weaknesses in cybersecurity can be severe without being obvious. K7 Security discovered a vulnerability in the web application of a client who provided e-services, which allowed users to submit service requests without paying a processing fee. The client was potentially suffering a revenue loss of $250,000 per year which is a significant impairment of the topline performance that is a C-suite priority.
The C-suite also needs to grapple with new complications arising from cyberattacks, such as the potential loss of attorney-client privilege when regulators wish to examine the internal records of companies that suffer cyberattacks.
In addition to these concerns, CXOs may also face regulatory action following a cyberattack. The Securities and Exchange Commission (SEC) of the USA has filed charges against a CISO, alleging that the company misled investors about cybersecurity practices and known risks, and recommended civil enforcement action against the CFO. It is the securities regulator, and not a cybersecurity agency, that is taking legal action which extends beyond the CISO to other members of the C-suite.
These examples make it clear that cybersecurity is a C-suite problem. But what is the solution?
VAPT Eliminates Cybersecurity Obstacles to Achieving Strategic Objectives
We have previously analysed how ROI can be improved by choosing appropriate cybersecurity products. The challenges faced by the C-suite, however, need more than just products. CXOs need investigative services to look for and identify weaknesses in enterprise cyber defences beyond susceptibility to malware.
The discussion above referenced K7 Security identifying a vulnerability in a client’s web application that helped avoid significant revenue loss. K7 discovered this vulnerability by performing VAPT.
What is VAPT?
Vulnerability Assessment and Penetration Testing (VAPT) is a forensic investigation of enterprise cyber defences. The organisation’s IT infrastructure is examined for weaknesses (Vulnerability Assessment) and identified vulnerabilities are attempted to be exploited (Penetration Testing). We have previously discussed how VAPT can be used to strengthen enterprise cyber defences, and will now explore how VAPT can help the C-suite achieve strategic objectives.
How VAPT Supports Strategic Objectives
VAPT prevents cyberattacks and therefore helps CXOs avoid the negative consequences of cyberattacks that adversely impact the pursuit of strategic goals. Specifically, VAPT can help you
- Preserve Brand Value – A cyberattack can tarnish the image of a business and cause deterioration in brand value. A study in Australia revealed that 1 in 4 consumers severed ties with companies that experienced a breach in security of their customers’ Personally Identifiable Information (PII). VAPT can help avoid such breaches and protect the organisation’s brand
- Avoid Drop in Share Price – The Latitude Group forecast a loss following a cyberattack that resulted in its share price dropping almost 10%. Periodic VAPT exercises can help enterprises prevent such attacks and preserve stakeholder value
- Avoid Litigation – The HSE has been sued more than 400 times in the fallout from a cyberattack. The nation of Columbia considered a civil lawsuit and criminal action against IFX Networks for negligence that led to a ransomware attack. Carnival Cruise Lines will pay $6 million to end two lawsuits after sensitive personal information was accessed in a string of cyberattacks. Comprehensive VAPT can help businesses avoid such time consuming and expensive litigation
- Prevent Regulatory Action – Interserve Group Limited was fined £4 million for a ransomware attack that exposed employee data. Blackbaud paid a civil penalty of $3 million following a ransomware attack. A ransomware group themselves filed a complaint with the SEC claiming that MeridianLink had violated SEC rules following a ransomware attack. VAPT can help enterprises avoid such regulatory attention
- Save Remediation Expenditure – Empire Co. estimates direct and indirect expenses following a cyberattack could add up to over $54 million. Such expenditure can be avoided by conducting regular VAPT exercises, allowing enterprise resources to be used to pursue strategic objectives
- Preserve Earnings – Granules India Ltd reported a 5% fall in first-quarter profit due to disruption caused by a cyberattack. MGM was estimated to have lost between $4.2 million and $8.4 million in revenue per day while a cyberattack was in progress. VAPT helps the C-suite avoid such impact on earnings
- Limit Capital Requirements – Ince Group required additional funding of £8.6 million following a cyberattack estimated to have cost £5 million (and to overcome the impact of COVID-19 and the war in Ukraine). VAPT can help businesses avoid such emergency fund raising by preventing disruptive cyberattacks
- Avoid Career Interruption – Target’s CIO resigned after a data breach. Equifax’s CEO, CIO, and CSO left after a data breach and the CIO of Equifax U.S. Information Solutions was fined and sentenced to prison for insider trading for selling shares before the breach was publicly announced. VAPT can help CXOs avoid such personal consequences by preventing data breaches
K7 VAPT strengthens enterprise cybersecurity and ensures regulatory compliance with forensic investigation of your organisation’s IT infrastructure. Contact Us to learn more about how K7 can help you identify, and mitigate, vulnerabilities in your enterprise cyber defences with a comprehensive security evaluation customised to suit your organisation’s operating and regulatory environment.