Читать книгу Cybersecurity and Decision Makers - Marie De Fréminville - Страница 7

Introduction: Financial and Cyber Performance

Why not assess the cyber performance of companies in the same way as their financial and non-financial performance (governance and CSR – corporate social responsibility)?

Why not certify the cyber performance of companies in the same way as their financial performance via auditors, whose intervention is mandatory for companies of a certain size?

Despite some progress, the vast majority of shareholders, and therefore the board of directors and management, are primarily interested in the company’s financial performance.

However, the digital age is introducing upheavals in the company and in its ecosystem. Indeed, the “all-digital” concerns all stakeholders, administration, public services and national and international infrastructures, defense and intelligence services.

We have reached a stage of non-return, which offers important opportunities, but which is also a source of fragility and major risks, particularly because cyber threat actors are becoming more professional and have significant resources to defraud, spy and sabotage.

The risks for companies are systemic: shareholders are financially exposed and directors, in charge of defining their strategy and ensuring their sustainability, are legally exposed if they do not inform themselves about the quality of data security and information system protection and if they do not ensure that an organization, procedures and tools for a high level of cybersecurity are in place.

There is no such thing as zero risk, but the negligence of a board of directors would be associated with it if no action were taken in the field of cybersecurity of the company and if the attacks had significant consequences for its proper functioning, profitability and reputation.

Financial performance should therefore no longer be the only priority. Financial performance and cyber performance should now be the two priorities of corporate governance bodies.

Should we therefore reinvent the governance body designated by the national actions, namely its competences, its functioning, its agenda and its partners?

For 50 years, we have been wading through a technological tsunami:

 – 1970: mainframe;

 – 1980: PC (Personal Computer) and client/server;

 – 1990: Internet and e-commerce;

 – 2000–2010: mobile and cloud;

 – 2010–2020: Internet of Things and artificial intelligence;

 – 2020–2030: quantum computing and blockchain.

The digital world is borderless and immaterial, and the threats are invisible.

Digital and related new technologies are transforming the way companies operate and business models.

The main cyber-risks are risks of malfunctioning of the industrial or commercial process, financial risks, as well as risks of loss of considerable confidential information (strategic information, personal information) which affect different sectors: hospitals, autonomous cars, banks, telecom operators, energy, etc., with potential human consequences.

According to a study conducted in the United States by the National Archives and Records Administration in 2018, 93% of companies that lost their data for 10 or more days declared bankruptcy in the year of the disaster and half (50%) filed for bankruptcy immediately after the attack.

The question is not “when will we be attacked?” but “what can we do to protect the company as much as possible, what can we do in the event of an attack, what can we do to restore systems as quickly as possible?”

Cyber-risk is an integral part of companies and also of personal organizations (everyone is concerned individually and as a member of an organization). It is not just a technical risk.

People are the weakest (and strongest) link in the entire safety chain.

This book does not deal with tools (hardware, software, servers, architecture), but with organizations, processes and behaviors, without which the company cannot improve its performance, security, incident or crisis management, and resilience.

It is about companies exercising their digital responsibility and maintaining or improving the trust of their stakeholders: customers, suppliers, partners and investors.

Only 30 years ago, I experienced the arrival of personal computers (computers and word processing existed, but were not deployed in companies), the digitization of financial operations (accounting, cost accounting, banking relations and cash management, tax returns, reporting tools, accounting and management consolidation, financial relations with customers and suppliers), as well as the digitization of human resources management (payroll, social declarations, recruitment, training), internal and external communication, particularly with the arrival of social networks, production (connected factories and extended companies), marketing and sales of course, and logistics.

All company functions are now concerned, as well as the relations with all stakeholders: customers, suppliers, service providers, subcontractors, shareholders (individual investors, investment funds), board of directors, auditors, employees, subsidiaries, proxy advisers (governance advisers who publicly comment on the proposals made by companies for their general meetings).

Companies are completely digitalized: their data, operations, accounts, processes are intangible; their internal and external communications, their products are connected.

Organizations and work habits have changed, skills have evolved, tools have been transformed, the classification of documents and people has sometimes (often?) fallen into oblivion.

Companies have been able to internationalize, thanks to the ultra-fast means of communication. We talk to the company across the street as well as to those in the United States or China: only the time difference is incompressible.

Companies share their data with their customers, suppliers, employees, shareholders, subsidiaries, etc. The digital environment provides companies with opportunities to create new businesses, new products and services and new customers, in order to optimize their organizations, reduce their costs, improve their internal and external processes, with their suppliers, service providers, subcontractors, investors, customers, depending on the business sector in which they operate.

Companies are judged on their financial performance: their accounts, their results, their balance sheet, their cash position, their share price, their growth and earnings potential, their non-financial performance (their governance and their social and environmental performance), but…

What about their cyber performance? Data governance, data security: integrity, confidentiality and accessibility, protection of the personal data they collect, use and archive, protection of computer systems that allow the exchange, storage and modification of these data.

A company may be financially successful, but a failure of its IT system or digital security can seriously affect its ability to sell or produce, to pay its suppliers, to exchange with its subcontractors and thus degrade its financial results, its reputation and the confidence of shareholders and stakeholders.

Cyber-risks are not the prerogative of a handful of specialists in the company but affect overall governance. In addition to the regulatory obligations regarding data security, it is a matter of protecting the company against the risk of loss of value, linked, for example, to the dissemination of confidential information.

“All connected, all committed, all responsible” is the slogan communicated by Guillaume Poupard, ANSSI‘s Director General at FIC 2019¹, from top to bottom and from bottom to top of private or public organizations: the board of directors, the executive committee and all the teams.

The trade war between major powers is more media-intensive than cyberwarfare, which is a weapon widely used by States, terrorist and criminal organizations, or corporations (spying). In addition, data collection is at the heart of the digital economy of the 21st Century, built around data valorization. This economy is currently dominated by the American and Chinese Internet giants. Finally, cybercriminals exploit the many vulnerabilities of digital tools, the human vulnerabilities generated by organizations that have not adapted, processes that have not been updated and collaborators that have not been trained.

There are cyberdeaths among the victims. Cyber-silence is a barrier to awareness. Finally, there are too many executives and directors burying their heads in the sand.

1 1 11th edition of the International Cybersecurity Forum (FIC).