McKinsey & Company
Share this email LinkedIn Twitter Facebook
Leading Off
Click to get this newsletter weekly
Gas pipelines. Dams. Water supplies. Movie studios. Hospitals. In recent years internet hackers and ransomware agents have demonstrated that they are nothing if not eclectic. Also, stealthy and immensely capable. The proliferation of ransomware attacks this year and efforts to prevent them should hold the attention of anyone with access to a computer keyboard. This week let’s gather the experts for a leader’s primer on the state of this growing threat.
The wild west web
Not so long ago, computers mostly stored data locally. But as digitization and connectivity spread to define much of our lives, so did the proliferation of the software code that powers it. When hackers find software errors in that code, they can gain unfettered, invisible access to networks. They call the glitches for which there is no existing patch “zero-days,” (pronounced “oh-days”) because at the moment the flaw is discovered, it’s been zero days since the software developer has detected it and figured out a defense for it. As opportunities and capabilities have grown, hacking, once almost the exclusive domain of state-sponsored spies, has become popularized and has produced a burgeoning worldwide black market in software bugs. Attacks on critical infrastructure, once known only as acts carried out by nation-states, have also now moved into the crosshairs of ransomware actors, necessitating steps to better align and protect the vulnerabilities of not only IT systems but also the operational elements of assets such as gas pipelines and water treatment plants.
That’s the number of new devices connected to the internet every second. Tick, tock. Add to that the existing 30 billion internet-connected devices and the fact that more than half the world’s population uses the internet, and the scale of the opportunity for bad agents comes into chilling view. So do the complications for cybersecurity efforts at the enterprise level. As companies continue to digitize and undertake transformations around digital capabilities, “fundamental tensions arise between the business’s need to digitize and the cybersecurity team’s responsibility to protect the organization, its employees, and its customers,” write the authors of “Cybersecurity: Linchpin of the digital enterprise.” To avoid becoming a barrier to digitization, cybersecurity teams must improve risk-management capabilities, build cybersecurity directly into a business’s value chain, and support innovative enterprise-technology platforms. Organizations must also do more to collaborate closely with third-party affiliates to reduce the risk of cyberattacks originating with business partners.
“One who enjoys the intellectual challenge of creatively overcoming or circumventing limitations.”
That’s the definition of “hacker” in The New Hacker’s Dictionary, as provided by journalist Nicole Perlroth in her book This Is How They Tell Me the World Ends: The Cyberweapons Arms Race (Bloomsbury, February 2021). Victims might take exception to that definition and the hacker’s ethics, but it’s also clear that some of history’s most revered entrepreneurs fit the bill, and today, many institutions ironically rely on them for their digital security. A review of Perlroth’s work in the New Yorker profiles the zero-day mercenaries and recounts the widespread challenges governments and companies face (even the infrastructures of COVID-19 testing, care, and vaccination development have not been off-limits during the pandemic).
abstract globe
“Cybercrime is becoming industrialized,” says John Noble, the former director of the United Kingdom’s National Cyber Security Centre. “Vulnerabilities are identified by one set of groups that then share the information with criminal groups.” In this podcast with McKinsey partners Frithjof Lund and Wolf Richter, the trio explore the new challenges facing corporate boards and executive teams—as the vulnerabilities of digitization spread to new industries and companies face new risks from the expansion of remote work—and why cybersecurity can no longer be safely considered only the responsibility of chief information officers.
It’s about more than just tech
metal maze and silver ball
For most executives and teams, the cybersecurity challenge is a real-world threat wrapped in indecipherable computer code. But for leaders, it is crucial to understand that the responses must go beyond purely technical ones. Readiness can also mean low-tech exercises: reviewing your incident-response plans, defining your communication alternatives, and checking your insurance policies. And when it comes to people, educating employees rather than building barriers that close them off from information can create a much healthier and more cohesive organizational response to cyber crises.
Lead securely.
— Edited by Bill Javetski, an executive editor in McKinsey’s New Jersey office
Click to get this newsletter weekly
McKinsey & Company
Follow our thinking
LinkedIn Twitter Facebook
Share these insights
Did you enjoy this newsletter? Forward it to colleagues and friends so they can subscribe too.
Was this issue forwarded to you? Sign up for it and sample our 40+ other free email subscriptions here.
Copyright © 2021 | McKinsey & Company, 3 World Trade Center, 175 Greenwich Street, New York, NY 10007