Reinventing the Internet for Trust - Accenture
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
SECURING THE DIGITAL ECONOMY Reinventing the Internet for Trust
CONTENTS
04 BUILDING ON TRUST 18 STEPPING UP TO MAKE A STAND 35
PAVING THE WAY FOR A
TRUSTWORTHY DIGITAL
08
WHY THE INTERNET CAN’T SUSTAIN
ABOVE GROUND: ECONOMY
THE DIGITAL ECONOMY BUSINESS INITIATIVES
37
APPENDIX
12 The Internet Just Can’t Keep Up 21
Governance
Join Forces with Other 43 ACKNOWLEDGMENTS
13 The IoT Effect Companies and Govern
Globally 45 SOURCES
14 Identities in Crisis
26
Business Architecture 47 ABOUT THE AUTHORS
15 No Flow Versus Free Flow Connect and Protect with a
Business Model That Runs on
16 The Cost of Insecurity
Digital Trust
17 Keeping Tabs on Cybersecurity
BELOW GROUND:
Investments
THE INTERNET’S INFRASTRUCTURE
31 echnology
T
Advance Businesses and
Enhance Safety Through
Technology
Authors
Omar Abbosh Kelly Bissell
Group Chief Executive, Accenture Senior Managing Director,
Communications, Media & Technology Accenture Security
Omar is responsible for the company’s US$8 billion Kelly leads the company’s US$2 billion security business
business serving the digital platforms, media, across all industries. As a recognized cybersecurity expert,
telecommunications, semiconductor and Kelly specializes in incident response, identity management,
consumer electronics industries. Omar brings three privacy and data protection, secure software development,
decades of experience to his role, and his and cyber risk management.
experience and deep connections in Silicon Valley Kelly’s vision is to help businesses embed security in
enable him to stay ahead of key shifts across
everything they do.
multiple technologies.
3 SECURING THE DIGITAL ECONOMY
Building on Trust
When a person creates an online Why? The once open, global escalating cyberthreats.
Internet has outgrown its original Companies have handled many
account, makes a purchase from a
purpose as a communication and threats with markedly successful
website or downloads an app, it’s not information-sharing tool. As the results, but their efforts have not
just the exchange of data, goods or Internet has become more solved the larger problem of
services taking place. complex, digitally fueled Internet fragility.
innovation has outpaced the
Attackers need only a single lucky
It’s a transaction in the ultimate ability to introduce adequate
strike, while defenders must be
currency: trust. safeguards against
constantly vigilant against any
cybercriminals.
potential type of incursion.
Today, there is a real risk that trust in
Unless business leaders take
the digital economy is eroding. effective action, there is a real
The fragile nature of the Internet
is putting the value of the digital
risk that this lack of safeguards
economy at risk, which is why
could reduce the growth of the
CEOs need to end their
entire digital economy, hurting
piecemeal approach and put trust
both individual companies and
and security at the forefront of
the economy as a whole.
business strategy.
CEOs are aware of the problem
and have increased spending on
cybersecurity in response to
4 SECURING THE DIGITAL ECONOMY
In an analysis we conducted with 30 leading technologists, and additional fieldwork with 1,700 C-level executives, we
uncovered concrete actions CEOs can take to begin the crucial work of securing the digital economy.
For a practical framework that can help Similarly, securing the digital Another above-ground action
safeguard the Internet’s future, leaders economy will take more than CEOs can take is steering what
fixing Internet technology and we call business architecture—a
should look to an analogy from the oil and
network issues below ground. company’s own business model
gas industry. Oil and gas executives spend There are also clear opportunities and value chain—in a direction
much of their time determining how to for CEOs to step up on the above- that makes their own enterprise
maximize production—which often means ground business initiatives. secure. Examples of actions that
focusing on the engineering and So, what can business leaders do
can be taken include committing
technology solutions that largely operate to giving data access only to
above ground? CEOs can own
people who need it and who have
“below ground.” and drive a secure Internet as a
the right credentials. Importantly,
critical component of their
they should extend their
business strategies. One key
However, innovative extractive technologies commitment to making their own
above-ground action would be
enterprise secure to their
are only part of the equation. Executives improving governance.
partners, applying the same
also have to address the many challenges CEOs need to join forces with standards to their entire business
related to business and operating models, other top executives, government ecosystem.
strategy, politics and economics that exist leaders and regulators to develop
And they should ensure that the
“above ground.” principle-based standards and
very idea of a trusted digital
policies to safeguard the Internet.
economy is embedded in all
future business models.
5 SECURING THE DIGITAL ECONOMY
To some CEOs, above-ground embrace new technologies that
decision-making opportunities can advance their businesses and
may seem more accessible than enhance digital safety. Meanwhile,
below-ground choices, but they should elevate their
leadership is needed in both, understanding of how the same
even from CEOs outside the technologies can introduce Building a trustworthy digital economy
technology sector. All CEOs also unintended vulnerabilities. will take decisive—and, at times,
have the opportunity to influence unconventional—leadership from the
But the CEOs whose businesses
and inspire technology
focus on the Internet itself have an C-suite. Where should they start? By
infrastructure investments below
ground. By making decisions to
even greater responsibility: They working collaboratively with each other.
can concentrate explicitly on If they follow the roadmap detailed on
update everything from devices
promoting innovation in the
to cables and networks, CEOs page 7, leaders could bring back the
Internet’s infrastructure. Their
can support the complexity and
actions resolve inherent confidence needed in the Internet for
connectivity of today’s Internet individuals, organizations and societies
vulnerabilities, enable growth and
while also promoting security.
prepare for the advent of quantum to innovate and grow.
These technology decisions computing, which will present new
present the third concrete way opportunities and threats.
CEOs can proactively secure the
digital economy. CEOs should
6 SECURING THE DIGITAL ECONOMY
Governance: ABOVE
Join Forces with Other Companies and GROUND
Govern Globally BA
NK Standards and
74 percent of business leaders say Best Practices
solving the cybersecurity challenges of
the Internet economy will require an
organized group effort.
Business Architecture:
Connect and Protect with a Model
Run on Digital Trust
80 percent of business leaders say
protecting companies from
weaknesses in third parties is BELOW
increasingly difficult given the
complexity of today’s sprawling
GROUND
Internet ecosystems. Technology
Investments
Technology:
Advance Business and Enhance Safety
79 percent of business leaders say the
rate of technology adoption and
innovation has outpaced the security How Leaders Can Address Internet Security:
features needed to ensure a resilient Above ground, the strategic initiatives of CEOs can lead to standards and best
digital economy. practices. Below ground, through innovative technology improvements, CEOs can
invest in improving the Internet’s infrastructure.
7 SECURING THE DIGITAL ECONOMY
WHY THE INTERNET CAN’T SUSTAIN THE DIGITAL ECONOMY
Without trust, the future of our dependent on the Internet. At Handling these connections requires more lines of
digital economy and its nearly the same time, while businesses, code, more data and more capacity. Without a
limitless potential is in peril. individuals and societies are more resilient and trustworthy Internet, a single
Piecemeal efforts to address increasingly connected, those breach can have serious, cascading effects. For
cybersecurity issues—including connections are also becoming example, the 2017 NotPetya cyberattack cost
the Internet’s inherent flaws, more complex. Maersk more than US$300 million, and the
vulnerabilities from the Internet damages to all other companies affected totaled
of Things (IoT), identity and data more than US$10 billion.4
veracity and increasing digital In 2007, there were 1.2 billion
Against this backdrop, with computers and networks
fragmentation—have fallen Internet users. In 2017, there were
so deeply embedded in critical infrastructure such
short. Through their decisions 4.2 billion—more than half of the
as water supply and public health systems, the risks
above ground on industry-wide global population.1
to both the economy and public safety are high.
governance and their business
architecture and technology Consider the impact of the 2017 WannaCry
infrastructure below ground, The number of IoT-connected cyberattack on the United Kingdom National Health
however, CEOs can have the devices will likely reach 25 billion Service (NHS). It led to the cancellation of 19,000
influence necessary to by 2021.2 appointments and the diversion of ambulances, and
collaboratively address these ultimately cost almost £100 million.5
overarching issues.
Yet 79 percent of our respondents reported that
By 2024, Long-Term Evolution
Many of the issues affecting their organization is adopting new and emerging
(LTE) networks (also called 4G)
today’s Internet are due in part technologies faster than they can address related
will cover an estimated
to its rapid growth in both users security issues.
90 percent of the population,
and applications. The entire
with 5G networks covering about
digital economy is now
40 percent.3
9 SECURING THE DIGITAL ECONOMYEven as 68 percent of CEOs report that their
100% 100%
100%
businesses’ dependence on the Internet is
increasing, they acknowledge that their confidence
90%
in Internet security, already low at 30 percent, will
76%
80%
drop even lower if nothing changes to improve it. In
70% the next five years, the confidence level in the
60% 100% Internet is forecast to drop to 25 percent, while
50% dependence on it is assumed to remain at
40%
100 percent. (See Exhibit 1).
30%
30% Nearly 80 percent of the S&P 500 companies in our
23% 25% analysis have also mentioned cybersecurity
20%
10% 19% initiatives during recent earnings calls.6
10%
0% Five years ago, that figure was just slightly more
2008 2013 2018 2023
than 50 percent.
Confidence in Internet Dependence on Internet As the Internet’s fault lines are becoming more
apparent, companies are trying to build trust equity
and are publicly discussing ways to do so.
Exhibit 1: Dependence on the Internet is Growing While Confidence in
However, only a relatively small percentage of
Internet Security is Low and Forecast to Drop to 25 percent Over the Next
companies are willing to openly discuss breaches—
Five Years.
an above-ground issue that CEOs need to address.
(See Exhibit 2).
Source: Accenture Research
10 SECURING THE DIGITAL ECONOMYExhibit 2: S&P 500 CEO Sentiment Toward Cybersecurity
(Based on Transcripts from 11,418 Earnings Calls)
125
490
117
113
115
Sentiment Change (2013 = 100)
106
440 103
Number of companies
100 101 105
378 383
390
358 368 95
25 26
345 25
24 85
340
28
294 353 357
75
290 18 333 344
317 65
276
240 55
2013 2014 2015 2016 2017 2018
Company mentions of cybersecurity Company mentions of security breaches Positive sentiment toward cybersecurity
Note: Each year is computed as trailing 12 months from September of the previous year to August of the current year. For example, 2018 includes
data from September 2017 to August 2018.
Source: Accenture Research
11 SECURING THE DIGITAL ECONOMYThe Internet Just Can’t Keep Up
How did today’s problems of Internet security As the Internet evolved from a connections among services
originate? The Internet was not initially designed to military asset to an open providers, countries and
address issues like perpetually increasing levels of infrastructure, security continents. But BGP traffic is
complexity and connectivity. It was developed to considerations, such as they vulnerable in transit. In 2017,
enable high levels of data sharing, which requires trust. were, focused on preventing traffic to and from 80 Internet
physical failures. service providers (ISPs) was
Researchers during the Cold War aimed to build a
briefly routed to an unknown
trusted communications network underground that Today, many of the base Internet
Russian operator, showing how
could withstand a nuclear attack. Their concerns protocols—the set of rules
easy it is to reroute information,
did not include preventing cyberattacks, largely embedded in code so all
whether intentionally or
because modern forms of cyberattack did not exist machines on a network or series
accidentally.7
at the time. of interconnected networks
“speak” the same language—are Other systems widely utilized on
unfit for current demands and are the Internet, such as the Domain
insecure. This has led to Name System (DNS) and the
increasing challenges below Public Key Infrastructure (PKI),
ground that CEOs should which underpins much of the
address. encryption utilized on the Internet
today, are similarly vulnerable to
Consider the Border Gateway
potential attacks.
Protocol (BGP), a protocol that
has been in use since 1994. BGP
routes traffic through cables and
12 SECURING THE DIGITAL ECONOMYThe IoT Effect
More recently, the rise of the IoT has expanded The casino had an Internet- While the IoT has increased
the surface area of attack for enterprise networks connected fish tank that fed the digital capabilities, improved
from thousands of end points—including remote fish automatically and efficiencies and unleashed
devices, such as mobile phones and laptops—to monitored their environment. growth opportunities for a wide
several million for the largest companies. variety of industries, it has also
Hackers managed to use the
suddenly created complexity for
At the same time, the IoT compels all companies fish tank’s connection to break
all businesses, leaving them
to suddenly manage what are often unfamiliar into the fish tank monitor and
more vulnerable.
technology processes, where every connected then use this as an entry point
device is a potential vulnerability. into the company’s systems.
Take the case of an attack suffered by a North The data was then sent to
American casino. hackers in Finland.8
13 SECURING THE DIGITAL ECONOMYIdentities in Crisis
The “most fundamental challenge” might want to provide, or risk have not invested in the capabilities needed to
facing business and society is providing services to someone verify that data.
around identity, according to Amit who has stolen another’s identity.”
Mital, founder of Kernel Labs and
Most individuals who use the
former chief technology officer
Internet have multiple online
(CTO) at Symantec. But the
identities; the average Internet
challenge of authenticating
user today manages 27
identities and confirming the
passwords, up from six in 2006.9
integrity of data on the Internet None of us really know what’s happening
also presents a key opportunity for In this environment of content
out there. We have no idea how our data is
the C-suite to renew trust in the over context, Internet users have
digital economy. less ability to ascertain the origin being used. I think that’s the key issue and
of material they access and we’re [only] seeing the tip of the iceberg
Mital comments: “No individual
whether it is valid. Facebook, for with recent data breaches being
has a single identity that they use
example, closed nearly 300 announced.”
in the digital world. This
million accounts, or 14 percent of
fragmentation requires too much Norman Frankel, chairman of the UK-based
all accounts, in 2018 after
effort for the individual to ensure iCyber-Security Group
determining that they were fake.10
consistency, reliability and
security. As a service provider, if I And although 79 percent of the
cannot trust in the digital identity executives we surveyed believe
of a person, then that precludes companies are basing their most
me from providing services that I critical strategies on data, many
14 SECURING THE DIGITAL ECONOMYNo Flow Versus Free Flow
The Problem of Digital Fragmentation
Another key challenge that demands the
attention of CEOs is the increasing
fragmentation of the Internet.
This trend, fueled in part by security
concerns, could by itself stunt future global 80
economic growth. Walled gardens—
isolated, secured information systems—are 70 64
proliferating as countries and regions limit
the free flow of data across borders 60
through regulations. 48
50
Already 13 countries, accounting for 37
34
Article counts (’000)
58 percent of the global GDP, have some
version of these regulations.11 Heightened
40
30
concerns about borderless cyberattacks, 30
coupled with geopolitical tensions,
17
20 13 13
threaten to result in even greater
6 9
restrictions. (See Exhibit 3). 10
4
Business leaders are already dealing with 0
this reality as they tailor global operating 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
models to countries with more
restrictions. Exhibit 3: Digital Fragmentation Media Coverage
Source: Factiva and Accenture Research Analysis. Factiva search based only on “digital fragmentation”, “splInternet”, “balkanization”, “Internet balkanization”, “cyber war”, “cyber
attack”, “data breach”, “data leak”, “cyber threat”, “cyberthreat” as keywords among major global business publications.
15 SECURING THE DIGITAL ECONOMYThe Cost of Insecurity
For CEOs, one of the most glaring Exhibit 4: Value at Risk* by Industry—Direct and Indirect Attacks
challenges of an insecure Internet (Cumulative 2019 to 2023, US$ Billion)
is the economic cost.
In the private sector, over the
next five years companies risk
23% Data in
753
losing an estimated US$5.2 US$B
Indirect attacks
trillion in value creation 642
opportunities from the digital
economy—almost the size of the 505
economies of France, Italy and
Spain combined—to $5.2Tr 385
347 347
340
cybersecurity attacks. (See 305
283
Exhibit 4). 257 223
219
This translates to 2.8 percent in 206
lost revenue growth for the next 77% 147
110 70
Direct attacks 47
five years for a large global
company. High-tech industries
face the highest risk, with more
High Tech
Life Sciences
Consumer Goods
and Services
Banking
Health
Retail
Insurance
Industrial Equipment
Communications
& Media
Natural Resources
Utilities
Energy
Travel
Automotive
Chemicals
Transportation
Capital Markets
* Expected foregone revenue cumulative over the next
than US$753 billion hanging in five years. Calculations over a sample of 4,700 global
the balance. public companies.
Source: Accenture Research
16 SECURING THE DIGITAL ECONOMYKeeping Tabs on Cybersecurity Investments
CEOs are stepping up their 59 percent of organizations say Exhibit 5: Venture Capital Investments in Cybersecurity
spending on cybersecurity to the Internet is becoming (Cumulative Data)
protect their businesses. In its increasingly unstable from a
latest security forecast, Gartner cybersecurity standpoint and they 70 5,000
projects that such spending was are not sure how to react. While
more than US$123 billion for some companies aren’t spending 60 4,123
4,000
2018 and will grow by enough, others may be spending 50
3,491
10.8 percent per year to nearly excessively in response to their 2,731 3,000
US$170.5 billion by 2022.12 low tolerance for cybersecurity 40
33.1
2,148
risk. Others spend in the wrong 27.2
The rising Internet security market 30 1,641
areas, including projects that do
2,000
18.9
is also a hot area for venture capital 1,155
not deliver effective risk reduction. 20
800 14.8
investors, attracting almost US$33 499 10.5 1,000
287 7.1
billion to 2,479 security startups Increasing a company’s 10 109
3.2 5.0
1.7
since 2009, exceeding cybersecurity budget may not be 0
0.7
0
investments in blockchain, which the answer, according to 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018*
have surged with the interest in 61 percent of CEOs who believe
business applications and that the security issues of the Number of deals Investment amount (US$B)
cryptocurrencies. (See Exhibit 5).13 digital economy are far too big for
their organization to handle alone.
Will spending more on * As of November 2018
And 86 percent believe that taking
cybersecurity lead to a secure Note: CB Insights defines cybersecurity as tech-enabled companies that offer products and services for which the
business resiliency to the next primary use case is the protection of digital and physical assets from unauthorized access and malicious use by
digital economy? In our survey, cybercriminals.
level requires an ambitious new
Source: Accenture Research Analysis on CB Insights Data
vision for the Internet.
17 SECURING THE DIGITAL ECONOMYSTEPPING UP
TO MAKE A
STAND
How CEOs Can Help Create Digitally
Secure Business Models
18 SECURING THE DIGITAL ECONOMYThe oil and gas industry analogy helps reveal
the types of actions CEOs can take to ABOVE GROUND
address security issues. In the same way that Leaders can do their part to build a secure Internet through industry-
oil executives divide their focus between wide standards and best practices. CEOs can step up their governance
engineering and technological innovations efforts, forging collaborative relationships with peers, government
representatives, regulators and industry association leads. Leaders can
below ground to advance oil and gas drilling, also embed the idea of a trustworthy digital economy in the vision for
and above ground to develop appropriate their company’s business architecture, ensuring that security is
business strategies, CEOs need a two- prioritized within the boundaries of their company and throughout its
pronged view of the Internet security issue. ecosystem of partners, suppliers and end users.
To secure a trustworthy digital economy,
above ground is where CEOs can own and BELOW GROUND
drive the issue through business initiatives, Technology investments—in everything from devices to cables and
including decisions affecting business networks—present decision-makers both inside and outside companies
models and ecosystems. that control Internet functionality with the opportunity to build a more
trustworthy digital economy. CEOs can influence and inspire
technology investments that improve Internet infrastructure, but CEOs
of some technology companies are in the position to apply specific
technological solutions. CEOs that pay to use the Internet as a utility can
understand the vulnerabilities from new technologies and influence
how the Internet service is delivered securely to them. For example,
they can influence investments to update the Internet’s basic protocols
and networks. Meanwhile, CEOs leading companies that build and own
the infrastructure and equipment can ensure their products and
services are equipped to handle digital business growth and can
address the vulnerabilities that new technologies introduce.
19 SECURING THE DIGITAL ECONOMYABOVE GROUND: BUSINESS INITIATIVES
Governance
Join Forces with Other Companies and Govern Globally
First, CEOs can take the lead above ground in One venue already dedicated to likely to join or lead efforts to
Internet governance. Of our C-level respondents, this goal is the World Economic ensure the trustworthiness of the
90 percent agree that more secure transactions Forum’s Centre for Cybersecurity. Internet economy. (See Exhibit 6).
will not only benefit businesses, but also Launched in 2018, the Centre
But no organization should need
consumers, government and other stakeholders. seeks to bring partners from
a “wake-up call” to join an effort
“business, government,
It’s in the enlightened self-interest of large that results in effective guidelines
international organizations,
businesses to extend themselves to help build a and standards and influences the
academia and civil society to
secure Internet. development of smart
enhance and consolidate
regulations. When leaders realize
To do so, CEOs should collaborate with other top international security.”14
that prioritizing a trustworthy
executives and also, where possible, with
Many companies are discovering digital economy is a win-win
governments and regulators.
firsthand that they can’t address situation, businesses, consumers
Internet security alone. Our and governments will all benefit
survey found companies that through collaboration.
have experienced 50 percent or
more of their breaches from
indirect attacks—targeted at their
organization but initiated through
partner organizations—are more
21 SECURING THE DIGITAL ECONOMYExhibit 6: Likelihood to Join or Lead an
Organized Effort to Govern a Create an Internet Security Code of
Trustworthy Internet Economy Ethical Conduct for Each Industry
A vulnerability in a pacemaker or As a first step to that end above
in an avionic system can have ground, CEOs should promote
X2 serious consequences. Yet the the need for ethical codes of
X2
software professionals who conduct for software
develop them are not required to professionals for their industry.
attain professionally recognized
accreditations similar, for
86%
example, to those required of
48% surgeons or pilots. Code safety,
45%
ethics standards and
27% 29% certifications are overdue.
21% 24%
The creation and maintenance of of our respondents believe that in
a trustworthy Internet will require the next three years
Less than 24% breaches 24%-49% breaches More than 49% breaches a formal educational system, organizations in the same
through which software
from indirect attacks from indirect attacks from indirect attacks
industry will work together more
designers, solution architects, to improve resilience for their
computer engineers and code sector.
Definitely Extremely
developers can stay abreast of
would join likely to lead their evolving responsibilities.
Source: Accenture Research
22 SECURING THE DIGITAL ECONOMYBe Proactive with Principle-based Standards
CEOs should not wait for another source to
produce an ethical guide or related, principle- Devices to ensure product Networks to help ensure secure
based standards. Choosing to proactively propose transparency, the ability to make connection to consumers, help
their own business-relevant, principle-based software updates and successful them in device configuration and
standards is a more expeditious path. pre-release testing and basic inform them about infrastructure
CEO guidance can, in fact, influence regulators to offline functionalities. infections.
put in place standards that can apply to existing
and future technologies instead of myriad detailed
rules specific to each new technology Data to limit unnecessary data Protocols to provide authentic
development. For example, two-factor collection or usage,15 anonymize routing information and reduce
authentication to access banking services was data, enable users to control their domain name hijacking.
already the industry standard in several markets data and make it clear to
before European regulators required it. customers that their data is being
stored and used responsibly.16
CEOs—especially those of device manufacturers,
digital platforms and software and
telecommunication providers—are uniquely Algorithms to ensure
positioned for this more business-friendly approach transparency, auditability and
and have a responsibility to discuss design security fairness.17
standards for the following:
23 SECURING THE DIGITAL ECONOMYPromote Consumer Control of Digital Identities
Advocating for individual control of data is more centralized system, a single challenging unless clear rules are
than a good public relations move. Of our C-level organization establishes and in place and identity can be
respondents, 86 percent say that their manages the identity system. For ascertained—for example, by
organization’s access to digital identities is example, with Estonia’s e-identity using blockchain technology.
important to its ability to offer innovative customer system, citizens are able to
As the World Economic Forum
solutions. And 87 percent of C-level respondents provide digital signatures and
noted in a September 2018
recognize that customers should have the right to access a range of services using
study,18 whatever model prevails,
decide how to help secure their digital identities. their ID cards (which have
digital identities are deeply
Maintaining the trust of customers and protecting encrypted chips), Mobile-IDs (in
embedded in daily activities,
their digital identities is paramount to the growth of which people use a phone) or
leading to greater complexity and
the digital economy. Smart-IDs (which require only an
responsibility. One thing is clear:
Internet connection, no SIM
CEOs can’t afford to stay out of above-ground There will be mounting pressure
card). As the Estonia example
debates that are already starting to take place. for control over personal identity
demonstrates, centralized
Regulators are discussing how countries and data to gravitate toward individual
systems can be built with specific
regions must protect people’s digital identities and users. Educating customers and
purposes in mind to give
users themselves are becoming increasingly the general public about how to
controlling organizations such as
concerned about their online privacy. In the United protect and use personal
governments the ability to vet
States and Europe, lawmakers have already information shouldn’t be
identity data.
proposed or enacted regulations over consumer overlooked. Being a champion of
data privacy and Internet security. The alternative model is privacy and responsible
decentralized and requires the management of digital identity
There are two models of digital identity that CEOs
contribution of multiple entities. combines sound business and
should consider as influential in the discussion. In a
Its governance is more corporate citizenship practices.
24 SECURING THE DIGITAL ECONOMYCommit to Sharing Information About Cyberattacks;
Help Reduce the Stigma
With the heightened scrutiny on When a company is willing to
the response to cyberattacks— acknowledge an attack, it paves
whether they are far-reaching or the way for more transparent
not—in the long run, transparency work with other organizations Of our survey respondents,
will build trust with everyone from and experts, improving their
85%
suppliers to customers. ability to resist new attacks and
boosting data reliability.
Otherwise, businesses run the
risk of encountering “trust Consider this:
incidents,” which the Accenture In 2018, UK-based BT created an already keep a careful eye on the latest security
Strategy Competitive Agility Index online portal, the Malware issues emerging in the Internet economy.
shows can have a negative effect Information Sharing Platform Increased transparency will make those efforts
on the bottom line.19 (MISP), to share information more valuable.
To reduce the stigma from about malicious websites and
encountering these trust software with other Internet
incidents, leaders can commit to service providers—a pioneering
sharing information about move for a telecommunications
successful attacks and breaches. major. It went on to sign a deal
with Europol to share knowledge
about cyberthreats and attacks.20
25 SECURING THE DIGITAL ECONOMYBusiness Architecture
Connect and Protect with a Business Model That Runs on Digital Trust
To decrease the likelihood that security measures As Michael Hermus, founder and They should be considered
can be compromised, CEOs can make the concept CEO of Revolution Four Group and essential, as internal staff—either
of a trusted digital economy an explicit part of their former CTO of the United States by mistake or with malicious
organization’s business model. That commitment to Department of Homeland Security, intent—account for a sizable
make security a foundational requirement should told us regarding the vigilance that share of breaches. But they’re
also reach through the company’s entire value CEOs should embed throughout a also insufficient on their own.
chain—to every partner, supplier and customer. It company, “You don’t necessarily Alone, they are not nearly an
takes just one click to court disaster, and that click trust something because it looks adequate defense in the age of
can occur inside or outside the company’s walls. friendly, but you really need to mobility and cloud technologies.
That’s why companies need multiple layers of control know exactly what it is, who it is That’s why it is also important to
to create a system that runs on digital trust, where and where it’s coming from.” take additional measures,
access is given only to people who need it, wherever including articulating a security
The first steps toward a model that
they are. by design vision, holding line of
ensures this trust occur within the
business leaders accountable for
To ensure a trustworthy digital economy, CEOs can boundaries of the organization.
security, bringing CISOs to the
embed security into their business architecture—their These steps cover the basics—
board and closing off areas of
company’s business model and value chain, including security’s low-hanging fruit (as
exposure throughout the
their leadership structure. detailed in the appendix, Become
company’s value chain.
Brilliant at the Basics).
26 SECURING THE DIGITAL ECONOMYPrioritize Make Line of Business
Security By Design Leaders Accountable for
Security
Security can’t be an “add-on” Although it may seem like a Adjusting a company’s remuneration system can
feature for products and services. drastic step, CEOs who take this underscore the urgency of cybersecurity concerns to
Instead, CEOs should articulate a path probably won’t be alone. leaders who are frequently rewarded for short-term
vision of “security by design” financial results.
In fact, 83 percent of our survey
from the earliest stages of
respondents agreed that Companies can align the individual, short-term
development, even in the face of
organizations must recognize the incentives of business line managers to the longer-
pressure for short-term
trade-off between time to market term cybersecurity interests of the company.
performance.
and ensuring secure, sustainable
One major multinational bank has strengthened
This requires additional growth through technology—and
cybersecurity by including the company’s long-term
investment at each stage of always choose secure growth.
cybersecurity interest as a factor for calculating the
development, but these costs
bonuses of the leaders of all lines of business.
often pale in comparison next to
the cost of fines, recalls, lawsuits
and loss of consumer confidence
that companies will eventually
face if they don’t embrace
security by design.
27 SECURING THE DIGITAL ECONOMYBring a CISO to the Board
About two decades ago, as the IT Their area of responsibility has Recruiting a CISO or former CISO to
department left the back office to become too important to be the board provides the opportunity
establish itself as the nervous confined to a single department to educate fellow board members,
system of a business, chief or buried deep in the CIO helping them become more cyber-
information officers (CIOs) started organization. savvy and better risk managers.
to appear on corporate boards.
One United States bank has The CISO would gain a deeper
Likewise, chief information already elevated a retired CISO to perspective on the organization. As a
security officers (CISOs) today can the board, forging a path for result, the CISO could increasingly
follow a similar evolutionary path. others to follow. articulate how cyber risks intertwine
with other risks and inform leaders’
Managing cybersecurity doesn’t
strategic decisions.
mean simply avoiding software
problems. It means ensuring the
resilience of the entire business.
28 SECURING THE DIGITAL ECONOMYProtect the Entire Value Chain
Based on our analysis, we estimate that if all Of the corporate leaders surveyed,
companies collaborate to impose high standards
on partner organizations, businesses can expect to
save up to US$2.6 trillion.
This means that CEOs should ensure that their
vision is taken into account in each interaction their
company has with suppliers, clients and all other
parties in their value chain. In practice, this should
82% 62%
note that it is difficult to control
agree that it is the responsibility
translate into a constant vigilance with the indirect cyberattacks that are
of large organizations to foster a
trustworthiness of each of the company’s targeted at their organization but
digital ecosystem that includes
connections. initiated through partner
small and medium businesses to
John Clark, professor of computer and information help them operate in a organizations.
systems at the University of York, explained the trustworthy digital environment
domino effect of a lack of trust in one sector on in the interests of all.
another. “It just contributes to the denigration of
trust overall rather than just in a specific application
or location,” Clark said.
Just as CEOs can take tangible measures to limit
the far-reaching effects of cyberattacks in their
ecosystem, they have other key opportunities to
protect trust for the digital economy as a whole.
29 SECURING THE DIGITAL ECONOMYBELOW GROUND: INTERNET INFRASTRUCTURE
Technology
Advance Businesses and Enhance Safety Through Technology
Inside and outside the technology sector, all CEOs
have a role to play when it comes to the technology
for a secure Internet.
The CEOs who oversee technologies powering
As tech leaders, we have to step up and get
and protecting the Internet can deliver solutions
securely below ground—for the Internet’s basic in the middle of these issues. We cannot
protocols, devices, advanced networking and wait for governments to solve them.
computing. Companies who compete with each other
But all CEOs can ensure the growth of the digital need to put that aside to bring our
economy by demanding a safer, more crime- experience together to help us get at this
resistant Internet for their business. problem.”
Chuck Robbins, CEO of Cisco, addressed this Chuck Robbins, CEO, Cisco21
opportunity in his remarks at a recent World
Economic Forum event.
31 SECURING THE DIGITAL ECONOMYResolve Vulnerabilities in Basic Internet Protocols
Realizing long ago that the main line of defense Because this is a highly technical Investments in new protocols
against cybersecurity doesn’t take place at the issue, the biggest impact of the produce benefits only if enough
end points (personal computers, mobile phones majority of CEOs will be to networks choose to invest.
and IoT devices), the technology community has influence Internet service
CEOs are in a position to
proposed solutions to add security to the base providers—and others who
influence Internet service
Internet protocols. manage hardware—to upgrade
providers as a first action to make
systems against vulnerabilities.
For example, to solve the vulnerabilities of the the Internet more secure and to
Domain Name System (DNS), a technology called As the IoT age continues to invest in implementing better
DNS Security Extensions (DNSSEC) digitally “signs” proliferate end points, the base Internet protocols. The
data so a user knows it’s valid. Internet will require an alternative leverage of a CEO to influence
to Transmission Control Protocol below-ground activities should
(TCP)—a system that sends data not be underestimated.
packets over networks on the
Internet—to support offline
sessions and provide a secure
alternative for multiple devices
that were previously sharing an
IP address.
32 SECURING THE DIGITAL ECONOMYHeighten Security at the Edge
The edge computing universe—including servers, Software development life cycles, As the example of Tesla
mobile phones, IoT devices—represents a including those developed by the demonstrates, technology CEOs
revolutionary stage of the Internet to analyze data National Institute of Standards can make greater use of network
in real time. and Technology (NIST), are being architectures to more quickly
modified to ensure that software detect and mitigate edge-
Instead of sending data across long routes and
security and update functions are related threats.
processing it in a centralized data center or the
embedded from the beginning.
Cloud, it’s processed near the edge of a computer Through collaborative work with
network where data is generated. Following a 2016 vulnerability in cross-industry coalitions, they
Tesla’s WiFi and onboard can develop standards for edge
But the variety of devices computing at the edge
entertainment system, Tesla not devices, establish certification
means security practices are inconsistent across
only patched the bug via over-the- frameworks similar to
technologies. Indeed, 86 percent of our
air updates but also implemented international mobile phone
respondents agree that security needs to be
a code-signing policy under which standards and incentivize the
embedded into technology, particularly with regard
all firmware in cars needs to be ongoing adoption and evolution
to the IoT and Industrial IoT (IIoT).
validated and verified. of security innovation.
Today, Tesla implements dozens
of safety and security measures
annually; its cars do not carry
model years, reflecting the idea
that cars are evolving into devices
that can be improved regularly.22
33 SECURING THE DIGITAL ECONOMYEmbrace the Advantages Tackle the Question
of Software-Defined of Quantum
Networking
Software-Defined Networking (SDN) is a maturing No longer science fiction, quantum These points generate much
architecture that creates dynamic network computing exploits the laws of uncertainty about the future of
environments that exist for the limited time quantum mechanics to process cybersecurity. The most productive
required to complete specific tasks. information with quantum bits, or course for CEOs is to move ahead
qubits, instead of manipulating long with current security activities and
Its short-lived nature makes network end points
strings of bits encoded as a zero or stay informed of the evolution of
difficult to identify and the network pathways
one. Opportunity areas for quantum quantum computing. In practice,
harder to find and attack than those of traditional
computing could be in fraud leaders can position themselves for
fixed network solutions.
detection for financial services, quantum-resistant encryption by
SDN improves network control by enabling Internet supply chain and purchasing, appointing a working team of
service providers and other businesses to respond advertising scheduling and “quantum monitors” to identify
quickly and cost-effectively to high-bandwidth advertising revenue maximization where the technology is most likely
demands. It also automatically enables “ring- for the media industry.23 to impact their business security.
fenced” data centers if it detects malicious Accessing emerging application
There is no agreement about when
activities, limiting the chance of contagion. programming interfaces (APIs) will
a quantum computer that surpasses
enable businesses to develop pilots
While some CEOs may be deterred by the cost of the capacity of a traditional
for quantum-based optimization,
deploying SDN, those of large companies could computer will be available, but two
sampling and machine learning.
have the resources to contribute to this technology. things are clear. First, quantum
Through such pilots companies can
Others can “inspire and influence” its development computers will provide a significant
test, learn, iterate and stand ready.
for the benefit of all. boost to the world’s computing
power. Second, they will be able to
more easily break most current
encryption methods.
34 SECURING THE DIGITAL ECONOMYPAVING THE WAY FOR A TRUSTWORTHY DIGITAL ECONOMY
Today’s security strategies are, in large part, The actions of CEOs— By embracing and
still responding to yesterday’s challenges. driving above ground and developing technologies that
From reports of exposed personal influencing below ground— can advance their businesses
information to data misuse, trust incidents matter. and enhance digital safety,
are becoming increasingly visible to the CEO engagement can drive a
By joining forces with other
public. Regaining lost trust is an uphill trust turnaround for the
CEOs, public sector leaders
battle. And many CEOs aren’t aware of its Internet and secure the
and regulators, they can
value until it’s too late. future of the digital economy.
develop much-needed
Our research shows businesses can guidelines and oversight
quantify the impact of a trusted digital mechanisms.
economy on the bottom line, and
By protecting their own
90 percent of our respondents say a
organization and extending
trustworthy digital economy is very or
protection through its value
extremely critical to their organization’s
chain, they will safeguard
future growth.
the business ecosystem.
36 SECURING THE DIGITAL ECONOMYAPPENDIX
Become Brilliant at the Basics
Adopting Best-in-Practice “Cyber Hygiene” Techniques Means
Becoming Brilliant at the Basics, Including:
Training people Protecting against phishing Patching
When a company starts using technology that Hackers often use social Unfortunately, when a company
many or even most of its relevant employees don’t engineering tactics, such as detects a vulnerability, the fix is
understand, the firm is bound to suffer from lost phishing, to attack companies, so often put off until security
opportunities or higher cyber vulnerabilities—or training to avoid falling in this trap managers and staff “have time.”
both. Security will be determined by the company’s is especially important. Now is the time to prioritize fixing
weakest link; often that is an employee who any detected weaknesses.
inadvertently presents the opportunity for a
breach. Yet systematic training is, in general, still Passwords
not accepted as a basic practice, even with attacks
increasing in frequency, size and scope. Incentives Though it sounds obvious, many
are also important: Some companies are linking companies still struggle with the
executives’ remunerations to security. implementation of cybersecurity
basics, such as sound password
policy. Multifactor authentication
should be the default option for
every business.
38 SECURING THE DIGITAL ECONOMYThe Value of The Expected Cost of Cybercrime
Cybersecurity
for Businesses
and Society We began by estimating the expected cost of
cybercrime in terms of revenue for a company of a The industry average number of days it takes to fix
given size in a range of industries. We measured the damage caused by an attack and the average number
Many have talked about the costs value exposed, considering the risk of small (less of attacks in a year, sourced from the survey report
of cyberattacks, but what about than 90,000 records impacted) and big (more than “Gaining ground on the cyberattacker: 2018 State of
the other side of the coin? How 90,000 records impacted) attacks and the Cyber Resilience.”24
might better cybersecurity probability of their occurrence. Revenues by
practices create value for company size and industry were sourced from We drew the estimated cost of a big attack from our
businesses and society? Capital IQ. Calculating the cost of small attacks event study, described below in the section entitled
required the following elements: “The impact on revenue of a big, public event.” We
Driven by understanding both
sourced the probability of a big event from Ponemon
the cost of crime and the
Institute data for the Accenture 2018 Cost of
potential of a trustworthy digital
Annual costs of cybercrime by company size and Cybercrime study. The findings of our survey
economy, we conducted our
industry, sourced from Ponemon Institute data for the (conducted for this study) provided the portion of
analysis in three steps.
Accenture 2018 Cost of Cybercrime study. attacks coming through third parties.
Probability of Probability of
Expected cost x Cost of
+ x Cost of big
of cybercrime = facing small
attacks
small facing big
attacks
attacks
attacks
Expected cost of Expected cost
small attacks of big attacks
39 SECURING THE DIGITAL ECONOMYThe Value at Risk for Businesses The Economic Picture for a
Trustworthy Internet
Next, we estimated the expected Company revenues were sourced Finally, we analyzed how an increase in companies’ cyber resilience and
value at risk by industry. We from Capital IQ. Revenue the trustworthiness of the Internet could translate into less value at risk
calculated the total industry forecasts for the 2018 to 2023 for business and society. We modeled econometrically how companies’
revenues and multiplied those period were obtained by lower vulnerability, measured by the number of attacks suffered and the
figures by the expected cost of extrapolating current revenues number of days it takes to solve an incident, reduces the cost of
cybercrime. forward, according to the 2011 to cybercrime after the introduction of better cybersecurity practices. We
2017 CAGR from Capital IQ data. then estimated how this gain translates into value for society.
The sample consisted of 4,700
companies. These were publicly We estimated an econometric model to calculate the probability for a
listed companies with more than company of (a) receiving a certain amount of attacks and (b) solving a
250 employees, operating in the data breach within a certain period of time.
industries under scope and
The data set comprised 4,500 companies in the Accenture 2018 State
headquartered in the countries
of Cyber Resilience survey.25 The explanatory variables included: 1) the
under scope.
percentage of spend in cybersecurity over total IT spend; 2) whether
companies impose high standards on business partners, and; 3)
whether companies had made significant cybersecurity investments in
Company Number of the prior six months.
Value at risk
average x companies in our
We used the estimated coefficients to recalibrate the Value at Risk
Expected revenue sample
for = cost of x Model and formulate an alternative scenario in which every company:
businesses cybercrime 1) regularly (every six months) makes significant investments in
Total industry
revenue pool cybersecurity; 2) invests as much as the top 20 percent of performers
in cybersecurity; and 3) imposes high standards on business partners.
40 SECURING THE DIGITAL ECONOMYThe Impact on Revenue of a Big, Public Event
We identified unique cyberattacks In the event of negative Exhibit 7: Big and Public Cyberattack Impact on Revenue
that were publicly announced by cybersecurity events, revenues
the companies attacked using experienced a decline. To identify
Breachlevelindex.com by Gemalto. a causal effect, we created a 120
Breachlevelindex.com collects control group composed of the
information of all public attacks top 10 peers (as defined by S&P 115
since 2013. Each attack is assigned Capital IQ) of each breached
a risk level from 1 to 10, where company. Under the assumption 110
Revenues (Event quarter Revenues = 100)
Companies not suffering an attack
events above a risk score of 5 are that the control group was not
classified as critical to severe. breached, we used an event study 105
methodology (diff-in-diff
We collected all the events that
estimation) to compare the two
100
had a risk score above 5, then we
sets of companies and calculate
excluded events related to 95
the percentage change in
government agencies and
revenues, comparing eight Companies suffering an attack
universities. Our final sample 90
quarters before and after the
included 460 unique events and
event.
436 unique companies. Among 85
them, approximately 80 are
publicly traded. For these
80
-8Q- 7Q -6Q- 5Q -4Q- 3Q -2Q -1Q Event 1Q 2Q 3Q 4Q 5Q 6Q 7Q 8Q
companies, we collected revenues
information from S&P Capital IQ. Source: Accenture Research
41 SECURING THE DIGITAL ECONOMYTranscript Analysis
We identified cybersecurity Our model uses a long short-term memory
Our transcript analysis was based mentions by checking for certain neural network (a deep learning NLP model that
keywords (and possible accounts for word order and context) to identify
on transcripts of earnings calls of
combinations of those keywords) a company’s strategic orientation and long-term
companies present in the S&P 500 in each sentence in the focus, and the clarity of its strategic vision.
as of October 1, 2018. transcripts. When we found a
To develop our AI, 900,000 sentences were
match, we marked the sentence
We collected 11,418 unique randomly selected. This set was further split
as being cybersecurity related.
transcripts from S&P global, We used the following keywords:
into three subsets:
covering a time frame from cybersecurity, cyberattack,
September 1, 2012, to cyberthreat, cybercrime, cyber
a training dataset (80 percent),
August 31, 2018. incidents, cyber intrusions,
cyber theft, cyber fraud,
Text data was analyzed using two malicious cyber activity, adverse
a testing dataset (15 percent) and
different algorithms: one to cyber event, data leak, data
identify mentions and discussion breach, malware, ransomware,
about cybersecurity; and another spyware, IP theft, DDoS attack.
a cross-validation dataset (5 percent).
to calculate the intended strategy Using a proprietary neural
Subsequently we applied the estimated model
toward cybersecurity. network algorithm that captures
to all the sentences from our transcript dataset.
a company’s attitude toward
cybersecurity, we then
calculated an intended strategy.
42 SECURING THE DIGITAL ECONOMYAcknowledgments
Authors Project Team We would like to thank the following business leaders, experts and
practitioners for their valuable insights during our interviews and
Omar Abbosh Edward Blomquist
conversations:
Kelly Bissell Tomas Castagnino
Jay Best Per Gustavson
Francis Hintermann Information Security Expert,
Crypto Strategy Advisor, Itsa Ltd.
Lynn LaFiandra GDPR, Göteborgs Stad
Research Lead laine Bucknor
E
Ryan LaSalle J eff Hancock
Luca Gagliardi CISO, Sky TV
Co-Founder and Chief
Regina Maruca
J ohn Clark Operations Officer, getFIFO
Vincenzo Palermo Professor, Computer and Information
uhittin Hasancioglu
M
Tom Parker Systems University of York
Former VP and CISO, Royal Dutch
Eduardo Plastino fonso Ferreira
A Shell plc
Professor, Director of Research, CNRS -
Virginia Ziegler ichael Hermus
M
Toulouse Institute of Computer Science
CEO & Managing Partner,
Research
Revolution Four Group, LLC
Norman Frankel Naoki Kamimaeda
Chairman, iCyber-Security Investor, Mad Street Den
43 SECURING THE DIGITAL ECONOMYArthur Keleti Adam Segal
IT Securities Strategist, T-Systems Director of the Digital and Cyberspace
Policy Program; Council on Foreign
JJ Markee Relations
CISO, KraftKeinz
PW Singer
Amit Mital Senior Strategist; New America
CEO at Kernel Labs Holding Llc, Former
CTO Symantec Corporation George Smirnoff
CISO, Synchrony
Peter Morgan
Founder and CEO at Deep Learning John Valente
Partnership CISO, The 3M Company
Tony Sager Uwe Wirtz
Senior Vice President and Chief Evangelist, CISO, Henkel
CIS (Center for Internet Security)
44 SECURING THE DIGITAL ECONOMYYou can also read
