Digital resilience: Seven practices in cybersecurity

by Aman Dhingra, Michael Gryseels, James Kaplan, and Harrison Lung

Cyberattacks are costly, and they appear to be broadening in scope. Until recently, financial companies and governments were the primary targets of cybercrime. No more. The WannaCry and NotPetya ransomware attacks of 2017 affected companies in a wide range of industries. Earlier this year, the discovery of the Meltdown and Spectre vulnerabilities on computer chips showed that cyber risks occur not just in software but in hardware, too. All of these factors point to the reality that a growing range of companies will need to do much more to protect themselves.

In a recent global survey by McKinsey, 75 percent of executives said they consider cybersecurity a top priority. Yet only 16 percent said their companies are well prepared to withstand cyber risks. Merely spending more is unlikely to help. McKinsey research on 45 Fortune 500 companies found a weak relationship between how much they spend on cybersecurity as a proportion of their overall spending on IT, and how sophisticated their programs are.

What does a robust cybersecurity program look like? Our experience suggests that leading companies are working toward a state of digital resilience, in which they design their business processes and their information-technology systems to facilitate the protection of critical information and to implement strong cyberdefenses and effective plans for responding to cyberattacks. The following seven practices are essential to achieving digital resilience:

  1. Include cybersecurity in management and governance processes. Cyber risk is a complex nonfinancial issue with the power to erode a company’s bottom line and brand value. Because of this, companies need to integrate cybersecurity measures into day-to-day business processes and make cybersecurity a consideration in major decisions.
  2. Prioritize information assets and related risks. At many companies, as much as 50 percent of information assets are not mission critical. Companies should take stock of their information assets, tally the cyber risks they face and assess their urgency, and focus their cybersecurity efforts on mitigating risks to crucial assets. This can help them reduce their spending on cybersecurity by up to 20 percent.
  3. Strengthen cybersecurity protection for key assets. Applying the same cybersecurity controls to all assets creates extra effort and expense. Vital assets should be protected more strongly than less important ones. Controls should go beyond typical options, such as encryption, to include authentication, access rights, data-loss prevention, digital-rights management, intrusion detection, and patching.
  4. Engage all employees. Every employee has a part to play in protecting the enterprise through practices like sharing sensitive information through secure channels, rather than less-secure channels such as email. Phishing campaigns, cybersecurity drills, and other efforts will help make employees aware of the cyber risks they might create and how to mitigate them.
  5. Build security features into IT systems. Companies should build strong cybersecurity controls into the core of their IT systems, just as a strong foundation must be laid down before building a house. In-house software engineers should have the tools they need to develop applications that are less vulnerable to hackers. Companies should also configure IT systems in ways that reduce exposure to cyber risks.
  6. Use “active defenses” to stay ahead of attackers. Sooner or later, every company will be targeted by hackers. Companies can thwart hackers more effectively if they understand how they behave. Leading companies use big-data analytics to identify signals that might indicate an impending attack, such as attempts to log into networks from unusual locations. They also maintain up-to-date intelligence on cybercriminals’ capabilities and intentions—and sometimes even their identities.
  7. Plan and test responses to cybersecurity incidents. Knowing that cyberattacks will occur, companies should establish plans for responding to them. Once their incident-response plans are in place, companies should regularly put them to the test in simulated cyberattacks, or “war games.” McKinsey research suggests that realistic simulations increase digital resilience.

Companies face the tough task of protecting their most important information, without making it so difficult to access that it slows down their operations. Achieving digital resilience requires the involvement of multiple stakeholder groups. Oversight from the board and senior management is essential to ensure that cybersecurity programs are rigorous and effective. Dedicated cybersecurity teams must maintain a thorough, up-to-date understanding of the threats that companies face and engineer integrated defense systems to meet them. Business units and the IT organization need to embed security protocols in daily business processes. The stakes are too high for anything else.

Aman Dhingra is an associate partner in McKinsey’s Singapore office where Michael Gryseels is a senior partner; James Kaplan is a partner in the New York office, and Harrison Lung is a partner in the Hong Kong office.