McKinsey Quarterly

The rising strategic risks of cyberattacks

| Article

More and more business value and personal information worldwide are rapidly migrating into digital form on open and globally interconnected technology platforms. As that happens, the risks from cyberattacks become increasingly daunting. Criminals pursue financial gain through fraud and identity theft; competitors steal intellectual property or disrupt business to grab advantage; “hacktivists” pierce online firewalls to make political statements.

Research McKinsey conducted in partnership with the World Economic Forum suggests that companies are struggling with their capabilities in cyberrisk management. As highly visible breaches occur with growing regularity, most technology executives believe that they are losing ground to attackers. Organizations large and small lack the facts to make effective decisions, and traditional “protect the perimeter” technology strategies are proving insufficient. Most companies also have difficulty quantifying the impact of risks and mitigation plans. Much of the damage results from an inadequate response to a breach rather than the breach itself.

Complicating matters further for executives, mitigating the effect of attacks often requires making complicated trade-offs between reducing risk and keeping pace with business demands (see sidebar “Seizing the initiative on cybersecurity: A top-team checklist”). Only a few CEOs realize that the real cost of cybercrime stems from delayed or lost technological innovation—problems resulting in part from how thoroughly companies are screening technology investments for their potential impact on the cyberrisk profile.

These findings emerged from interviews with more than 200 chief information officers, chief information-security officers, regulators, policy makers, technology vendors, law-enforcement officials, and other kinds of practitioners in seven sectors across the Americas, Europe, the Middle East and Africa, and Asia.1 We also drew on a separate McKinsey executive survey on cyberrisk, supplementing this research with an analysis of McKinsey Global Institute (MGI) data on the value-creation potential of innovative technologies. It showed that the economic costs of cybercrimes could run into the trillions of dollars.

Areas of business concern

From our interviews and survey research, four areas of concern emerged on how executives perceive cyberrisks, their business impact, and the readiness of companies to respond:

More than half of all respondents, and 70 percent of executives from financial institutions, believe that cybersecurity is a strategic risk for their companies. European companies are slightly more concerned than American ones. Notably, some executives think internal threats (from employees) are as big a risk as external attacks.

Equally worrisome, a large majority of executives believe that attackers will continue to increase their lead over corporate defenses. Sixty percent of the executives interviewed think the sophistication or pace of attacks will increase somewhat more quickly than the ability of institutions to defend themselves. Product companies, such as high-tech firms, are most concerned about industrial espionage. The leaking of proprietary knowledge about production processes may be more damaging than leaks of product specifications, given the pervasiveness of “teardown” techniques and the legal protections afforded to product designs. Service companies are more concerned about the loss and release of identifiable information on customers and about service disruptions.

According to McKinsey’s ongoing cyberrisk-maturity survey research, large companies reported cross-sector gaps in their risk-management capabilities. Ninety percent of those most recently surveyed had “nascent” or “developing” ones. Only 5 percent were rated “mature” overall across the practice areas studied (exhibit). Notably, we found no correlation between spending levels and risk-management maturity. Some companies spend little but do a comparatively good job of making risk-management decisions. Others spend vigorously, but without much sophistication. Even the largest firms had substantial room for improvement. In finance, for instance, senior nontechnical executives struggled to incorporate cyberrisk management into discussions on enterprise risk management and often couldn’t make informed decisions, because they lacked data.

A large majority of surveyed companies had nascent or developing cyberrisk-management capabilities.

Concerns about cyberattacks are starting to have measurable negative business implications in some areas. In high tech, fully half of the survey respondents said they would have to change the nature of their R&D efforts over time. There is noticeable concern, as well, that cyberattacks could slow down the capture of value from cloud computing, mobile technologies, and health-care technologies. Some 70 percent of the respondents said that security concerns had delayed the adoption of public cloud computing by a year or more, and 40 percent said such concerns delayed enterprise-mobility capabilities by a year or more.

Cybersecurity controls are having a significant impact on frontline productivity, too. About 90 percent of the respondents overall said that controls had at least a moderate impact on it. Half of the high-tech executives cited existing controls as “a major pain point” that limited the ability of employees to collaborate.

While there is broad agreement among executives that concerted efforts by policy makers, companies, and industry associations will be needed to reduce threats, there is considerable disagreement about how a consensus might take shape. And executives worry that new regulations may be grounded in outdated techniques and that regulators’ skills and capabilities may be insufficient.

A global economic penalty

Looking forward, if the pace and intensity of attacks increase and are not met with improved defenses, a backlash against digitization could occur, with large negative economic implications. Using MGI data on the technologies that will truly matter to business strategy during the coming decade, we estimate that over the next five to seven years, $9 trillion to $21 trillion of economic-value creation, worldwide, depends on the robustness of the cybersecurity environment (see sidebar “About the research”).

Consider, for example, cloud computing. In an environment where a solid cyberresilience ecosystem accelerates digitization, the private and government sectors would increase their use of public cloud technologies,2 with enhanced security capabilities allowing widespread deployment for noncritical workloads. Private clouds would handle more sensitive workloads. In this case, we estimate that cloud computing could create $3.72 trillion in value by 2020. However, in an environment of stepped-up cyberattacks, public clouds would be underutilized, given increased fear of vulnerabilities and higher costs from compliance with stricter policies on third-party access to data and systems. Such problems would delay the adoption of many systems and reduce the potential value from cloud computing by as much as $1.4 trillion.

These dynamics could play out in many areas, with the proliferation of attackers’ weapons leading to widespread and highly visible incidents that trigger a public backlash and push governments to enforce tighter controls, which could dramatically decelerate the pace of digitization. Indeed, our interviews and workshops with executives from a variety of sectors reinforce the view that the cybersecurity environment may be getting more difficult and that early elements of a backlash are already beginning to materialize.

For more on this research, download the full report, Risk and Responsibility in a Hyperconnected World (PDF–1,688KB).

Explore a career with us