The world is going digital at an unprecedented pace. Established business models are reaching the end of their life cycle. New market entrants are disruptively entering the arena with asset-light balance sheets, build upon platforms and apps, which turn the dynamics of competition upside-down. Technology, media and entertainment, and telco (TMT) companies are at the forefront of this wave.
Although many TMT companies are leaders in digital transformation, they arguably more vulnerable to cyber-attacks than other industries, with the consequences of a breach more serious as highlighted in EY’s GISS 2018-19. Unlike the global panel, this excerpt focuses on consolidated findings from TMT companies.
Digitization may make TMT companies more operationally agile and streamlined, but it also exposes virtually every part of their content and operations — from IP rights to trade secrets to semiconductor design to intrusion. Traditional industries such as manufacturing and transportation can involve significant switching costs to customers. Not so for many companies in the TMT sector — in which competitors are literally just a click away for the dissatisfied customer.
The IoT and converging infrastructure broaden the attack surface
TMT companies are placing high priority on securing the internet of things (IoT) with 43% of all TMT respondents ranking it their #1 issue. While the IoT has many benefits for TMT companies — digitizing a carrier’s entire network, or full robotic automation of a warehouse — it can also present higher cyber-risk. Especially due to the convergence of operational technology (OT) and corporate IT networks, production systems are increasingly exposed toward disruption and outages. For instance, by placing a company’s operations on an IoT platform, it can increase the level of vulnerability (e.g., more attack vectors) and present much more painful consequences when experiencing a security incident (e.g., DDoS attacks or ransomware attacks on production systems) that can bring the business to a standstill.
The changing threat landscape still represents a major challenge. Few TMT companies have high confidence that they will be able to detect breaches of their systems, and that they will be able to determine whether customer records and other critical data has been compromised. Only 1 in 4 (23%) TMT executives believe it is very likely they could even detect a major attack. TMT companies, like many others, are facing a talent shortage in digital transformation, and an especially acute shortage in cyber-security skills. This leaves them highly exposed to their cyber adversaries.
An under-resourced threat
According to Fortune Magazine’s ranking, 50% of the world’s 10 most admired companies are from the TMT space – far more than any other sector. While it takes ages and costs billions to build the brand — a company’s bond with its customers — it can be severely harmed overnight by only one successful cyber-attack.
As highlighted in the EY report, global companies spent almost a staggering US$600 billion on marketing and brand efforts in 2016 but only allocated about one-tenth to cyber-security. Given the scale of the cyber-threat, the investments made, and precautions taken appear to be artificially low.
In fact, findings of the EY report reveal that TMT companies spend less than half of what is needed to reach acceptable levels of cyber-resilience. The sector is not making it anywhere near the commitment that is believed to be needed in order to safeguard customer data and their brand. On average, TMT companies project to growth their cyber-security budget by 10.4% over the next 12 months. However, 21.0% growth in funding would be needed to protect company in line with company’s risk tolerance. This is an important example of an under commitment being made by TMT companies to reach their own standards of cyber-security.
Data theft and sabotage are top concerns
Customer data remains the prime target of the cybercriminal. A severe breach could create a public perception of a company as an unsafe enterprise to do business with — a negative branding and trust issue that could take years to recover from.
However, business continuity management (BCM) is equally important. On the flipside of being digital leaders, more so than other industries, TMT companies heavily rely upon the availability of their various services and platforms. Some studies estimate that the knockout of a single cloud provider could already cause $50 billion to $120 billion in economic damage—on a par with the aftermath resulting from Hurricane Katrina and Hurricane Sandy. For instance, distributed-denial-of-service (DDoS) attacks could take an organization out of business for multiple hours. DDoS attacks have significantly grown in size (take GitHub as one prominent example), complexity and frequency, representing a lurking danger to TMT companies.
Thanks to the emergence of the various illegal marketplaces on the Darkweb, engaging in cybercrime and hiring a hacker has never been any easier. Whether they originate from internal staff, disgruntled customers, activist groups, organized cybercriminal syndicates or even state-sponsored actors, cyber-threats are commonplace. While acknowledging the cyber-risks, TMT companies are not placing a high enough priority to mitigate them.
It’s undeniable that cyberattacks will not only continue but increase in velocity and sophistication, including targeting data, media companies and cloud providers, and IoT platforms. Companies taking their cyber resilience too lightly severely put their reputation at risk. The brand is a critical asset that demands the highest protection, requiring TMT businesses to put more emphasis on protecting all brand-related assets. This includes “ring fencing” purchasing information, passwords, transaction records, and PII data.
However, TMT companies need to rethink their resilience beyond the risk of data theft or compromising data records. For instance, when platforms, apps or media contents are unavailable due to system outages, both revenue and reputation is equally at risk.
In addition, TMT companies that build and sell IoT products should manage cyber-security risks throughout the IoT ecosystem from development, production and most importantly, active maintenance.
Many cyber-security programs — managed by IT specialists — focus on highly technical solutions to defend against cyber-attacks. Companies should recognize that attackers can potentially be their own employees, and detecting malicious lateral movements inside the network perimeter is equally as important. Cyber-security training, supervision and accountability — in short, an employee culture of cyber-security focused on vigilance — are critical to defend against cyber-attacks.
Many cyber experts privately acknowledge that their companies will be breached at some point. Ability to respond is as important as the capability to defend: companies should have in place a proactive incident response and recovery plan — including a communications plan, incident response process, forensics capability, governance and technical recovery procedures — that can help minimize damage, enable legal diligence and accelerate the company back to the trust of its customers.