CYBERSECURITY: THE

INSIGHTS YOU NEED FROM

HARVARD BUSINESS
REVIEW

BY ALEX BLAU, ANDREW BURT,

BORIS GROYSBERG, &
HARVARD BUSINESS REVIEW
 Contents

Figure 2-1: Average annual number of targeted 3

attacks and breaches per company.
Figure 2-2: Even though we’re thwarting more 4
attacks, we’re not preventing more breaches.
Figure 2-3: Average cost of cybercrime per company 5
(US$M)
Figure 2-4: Attacks come mostly from outsiders 6
Figure 2-5: Attacks still fail more often than they 7
succeed
Figure 2–6: Personal information and payment 8
information are the most commonly compromised
targets
Figure 2-7: What hackers attack most often, and what 9
they attack most successfully, aren’t always the
same
Figure 2-8: Average cost of cybercrime per company 10
in selected countries (US$M)
Figure 2–9: Average annualized cost of cybercrime 11
by sector, worldwide (US$M)
Figure 2-10: Share of costs per type of activity 12
Figure 2-11: Share of costs per consequence of attack 13
Figure 3-1: Most board directors aren’t highly 14
concerned about or ready for cyberthreats
Figure 3-2: Few board directors view cybersecurity 15
as a strategic threat
Figure 3-3: Most board cybersecurity processes fall 16
short, according to directors
Figure 3-4: Cybersecurity is the biggest challenge for 17
board directors
 F I G U R E   2 -1

Average annual number of targeted attacks and breaches

per com­pany
Targeted attacks 106

70% thwarted

Breaches 32
2017 survey

Source: Accenture, “2018 State of Cyber Resilience: Gaining Ground on the

Cyber Attacker”

054-80673_ch01_3P.indd 24 6/29/19 12:40 AM

 FIGURE 2-2

Even though ­we’re thwarting more attacks, ­we’re not

preventing more breaches
232

87% thwarted
Targeted attacks 106

70% thwarted

Breaches 32 30
2017 survey 2018 survey

Source: Accenture, “2018 State of Cyber Resilience: Gaining Ground on the

Cyber Attacker”

054-80673_ch01_3P.indd 25 6/29/19 12:40 AM

 FIGURE 2-3

Average cost of cybercrime per com­pany (US$M)

$15M

$11.7
10
Increase from 2013
Five-year average
to 2017: 62%

$7.2
5

0
2013 2014 2015 2016 2017

Source: Accenture and Ponemon Institute, “2017 Cost of Cyber Crime Study: Insights
on the Security Investments That Make a Difference”

054-80673_ch01_3P.indd 26 6/29/19 12:40 AM

 FIGURE 2-4

Attacks come mostly from outsiders

External Average across all sectors Internal
Accommodation and
food services
Education
Financial and insurance
Health care
Information
Manufacturing
Professional, technical,
and scientific services
Public administration
Retail
0% 25 50 75 100

Note: Some external totals include partners and/or multiple parties.

Source: Accenture, “2018 Data Breach Investigations Report”

054-80673_ch01_3P.indd 28 6/29/19 12:40 AM

 FIGURE 2-5

Attacks still fail more often than they succeed

5K
Detail Public
Breaches
shown below administration
0 5K 10K 15K 20K 25K
Incidents not resulting in breaches

600
Health care

More than half of attacks More than half of attacks

are successful are thwarted or fail
Breaches 400
Confirmed Accommodation and food services
disclosures
of data to
unauthorized Professional,
parties 200 Retail technical, and
scientific services
Financial and insurance
Education Information
Manufacturing

0
0 200 400 600 800 1000
Incidents not resulting in breaches
Potential exposures of information assets

Source: Verizon, “2018 Data Breach Investigations Report”

054-80673_ch01_3P.indd 29 6/29/19 12:40 AM

 F I G U R E 2- 6

Personal information and payment information are the most

commonly compromised targets
Accommodation
and food services Education Financial and insurance
Payment: Personal: Personal:
93% 72% 36%

Health care Information Manufacturing

Medical: Personal: Personal:
79% 56% 32%

Professional, technical,
and scientific services Public administration Retail
Personal: Personal: Payment:
57% 41% 73%

Source: Verizon, “2018 Data Breach Investigations Report”

054-80673_ch01_3P.indd 30 6/29/19 12:40 AM

 F I G U R E 2-7

What hackers attack most often, and what they attack most
successfully, ­aren’t always the same
Major sources of breaches are in bold and black; major sources of incidents
are (■ ) bulleted.

Accommodation
and food services Education Financial and insurance
Card skimmer Card skimmer ▪ Card skimmer
▪ Crimeware Crimeware ▪ Crimeware
Cyber espionage 96% Cyber espionage Cyber espionage
Denial of service of all ▪ Denial of service
76%
▪ Denial of service
Lost/stolen asset Lost/stolen asset Lost/stolen asset
breaches
▪ Point of sale Point of sale Point of sale 61%
Privilege misuse Privilege misuse Privilege misuse
Web app ▪ Web app Web app
▪ Everything else ▪ Everything else ▪ Everything else
Misc. errors Misc. errors Misc. errors

Health care Information Manufacturing

Card skimmer Card skimmer Card skimmer
▪ Crimeware Crimeware ▪ Crimeware
Cyber espionage Cyber espionage 92% ▪ Cyber espionage
Denial of service ▪ Denial of service ▪ Denial of service
Lost/stolen asset 71% Lost/stolen asset Lost/stolen asset 76%
Point of sale Point of sale Point of sale
▪ Privilege misuse Privilege misuse Privilege misuse
Web app ▪ Web app Web app
Everything else ▪ Everything else Everything else
▪ Misc. errors Misc. errors Misc. errors

Professional, technical,
and scientific services Public administration Retail
Card skimmer Card skimmer ▪ Card skimmer
▪ Crimeware ▪ Crimeware Crimeware
▪ Cyber espionage Cyber espionage Cyber espionage
▪ Denial of service Denial of service ▪ Denial of service
Lost/stolen asset ▪ Lost/stolen asset Lost/stolen asset 80%
Point of sale 64% Point of sale
59% Point of sale
Privilege misuse ▪ Privilege misuse Privilege misuse
Web app Web app ▪ Web app
▪ Everything else Everything else Everything else
Misc. errors Misc. errors Misc. errors

Note: Professional, technical, and scientific ser­vices has four bulleted items ­because
of a tie.
Source: Verizon, “2018 Data Breach Investigations Report”

054-80673_ch01_3P.indd 32 6/29/19 12:40 AM

 FIGURE 2-8

Average cost of cybercrime per com­pany in selected

countries (US$M)
$21.2
$20M

15
$11.2 $10.5
10 $8.7
2017
$5.4
5
2016
0
Australia Germany Japan United United
Kingdom States

Source: Accenture and Ponemon Institute, “2017 Cost of Cyber Crime Study: Insights
on the Security Investments That Make a Difference”

10

054-80673_ch01_3P.indd 33 6/29/19 12:40 AM

 FIGURE 2-9

Average annualized cost of cybercrime by sector,

worldwide (US$M)
$20M

Financial services
Utilities and energy

15
Aerospace and defense

Tech and software

Health care

Services
10 Industrial/manufacturing
Retail
Public administration
Transportation; consumer products
Communications
Life sciences
5 Education; hospitality

Source: Accenture and Ponemon Institute, “2017 Cost of Cyber Crime Study: Insights
on the Security Investments That Make a Difference”

11

054-80673_ch01_3P.indd 34 6/29/19 12:40 AM

 F I G U R E 2-1 0

Share of costs per type of activity

50%

40
2016 2017
2015
30

20

10

0
Detection Containment Recovery Investigation Incident Ex post
management response

Source: Accenture and Ponemon Institute, “2017 Cost of Cyber Crime Study: Insights
on the Security Investments That Make a Difference”

12

054-80673_ch01_3P.indd 35 6/29/19 12:40 AM

 F I G U R E   2 -1 1

Share of costs per consequence of attack

50%

40 2015
2016
2017
30

20

10

0
Business Information Revenue Equipment Other
disruption loss loss damages costs

Source: Accenture and Ponemon Institute, “2017 Cost of Cyber Crime Study: Insights
on the Security Investments That Make a Difference”

13

054-80673_ch01_3P.indd 36 6/29/19 12:40 AM

 F I G U R E   3 -1

Most board directors ­aren’t highly concerned about or ready

for cyberthreats
Percentage that indicated a “great” or “very great” level of
concern/readiness

Q: What is your level of concern regarding the

following areas of risk to the company?

Regulatory 47%
Reputational 47
Cybersecurity 38
Enterprise 25
Supply chain 22
Activist investors 11

Q: What is your level of readiness regarding the

following areas of risk to the company?

Reputational 55%
Regulatory 54
Enterprise 35
Supply chain 35
Cybersecurity 34
Activist investors 28

Number of participants: 340

14

054-80673_ch01_3P.indd 41 6/29/19 12:40 AM

 FIGURE 3-2

Few board directors view cybersecurity as a

strategic threat
Q: What are the three biggest challenges to this
company achieving its strategic objectives? (select three)
Attracting and retaining 41%
top talent
Regulatory environment 38
Competitive threats: global 32
Competitive threats: domestic 30
Innovation 30
Low or changing 21
consumer demand
Technology trends 21
Risk management 14
Levels of debt 12
Cybersecurity 8
Compensation 7
Supply chain risk 7
Rising cost of materials 6
and commodities
Activist shareholders 5
Other 10

Number polled: 2,938

15

054-80673_ch01_3P.indd 42 6/29/19 12:40 AM

 FIGURE 3-3

Most board cybersecurity pro­cesses fall short, according

to directors
Percentage that rated each process as “above average” or “excellent”

Q: How would you rate this board’s effectiveness

on each of the following board processes?

Staying current on company 70%

Compliance 69
Board composition 67
Financial planning 66
Staying current on industry 64
Executive sessions 60
Overall board performance 59
Monitoring strategic decisions 59
Investor/shareholder relations 58
Strategic planning 56
Creating effective board structure 55
Risk management 55
Time management 52
Evaluation of CEO 51
Compensation 45
Mergers and acquisitions 45
Innovation 42
Technology 42
Global expansion 40
CEO succession planning 36
HR/talent management 35
Evaluation of individual directors 34
Cybersecurity 24

Number of participants: 3,183

16

054-80673_ch01_3P.indd 43 6/29/19 12:40 AM

 FIGURE 3-4

Cybersecurity is the biggest challenge for board directors

Q: Which of the following do you find challenging in your
role as a director on this board? (select all that apply)
Keeping on top of risk
37%
and security issues
Keeping on top of
33
regulatory changes
Keeping on top of
33
new technologies
Keeping up-to-date on
27
industry of this company
Asserting independent
26
thinking
Understanding evolving
23
global landscape
Time required to serve 15

Liability issues 13

Engaging with management 11

Financial acuity 10
Interpersonal relations
10
with other directors
Keeping up-to-date
9
on this company
Confusion regarding
5
my role as director
Other 5

Number of participants: 2,791

17

054-80673_ch01_3P.indd 45 6/29/19 12:40 AM