Moreover, "In November 2016, the EIU surveyed 150 board members and C-suite executives in a wide variety of functional roles, from business development to operations to strategy; about half the respondents work in companies with global annual revenues exceeding $500m." The survey's key findings are listed below in its entirety:
- Widespread social issues present business risk for companies around the globe. The underlying causes of insecurity, be they social unrest, geopolitical violence or societal risks, manifest themselves in many ways—physical threats and cyber threats among them. These threats, and the efficacy of the political and business organizations tasked with addressing them, have the potential to affect and curtail business decisions.
- The causes of security risks, while far-reaching and diverse, are amenable to collective action. In the survey, poverty, income inequality and resource scarcity topped the list of external threats corporations cite as risks to their physical and cyber security. Many of these lie beyond the scope of any single company or collection of companies to influence. However, many executives believe that the business community is beginning to collectively address a number of criminal exploits driven by the motivations, particularly those related to cyber insecurity, and that more such action is feasible and desirable.
- Collective action on root causes of insecurity is likely to become more prevalent after internal security efforts reach a level of maturity. Organizations, particularly smaller ones, often struggle to develop and fund credible security programs. And many companies, regardless of size, have not embraced collective efforts to address root causes because they look to government entities to make changes. However, larger and more sophisticated organizations are embracing greater cooperation and coordination to address deeply rooted threats, particularly around cyber security issues.
- Root causes of insecurity are increasingly on the radar. Survey respondents agree that corporate boards need a better understanding of the underlying causes of insecurity and that cyber threats receive insufficient political attention. There is an acknowledged need to better understand security threats among corporate leadership, and it's worth noting that many interviewees cite progress on this front.
- Physical and cyber security issues are converging. The underlying drivers of insecurity create both physical and cyber risk. And, indeed, the two kinds of risk are converging. On the one hand, the best technical IT security solutions will be weakened if personnel access is poorly controlled; on the other, improved physical security relies more and more on digital systems. Corporate leaders must recognize this convergence; management structures and mitigation efforts must also take this convergence into account.
- Obstacles to confronting the causes of insecurity are many. Business leaders are trying to assess security risks honestly and comprehensively but the survey finds little consensus about the chief obstacles that prevent or constrain companies from taking a more active role in addressing underlying causes of risk. The most frequently cited reason is that no agreement exists within the organization on how best to address such issues. Additionally, many companies feel their interference would be frowned upon by political authorities.
- Executives show confidence in political and organizational authorities' ability to mitigate the causes of insecurity. In an uplifting show of faith, two-thirds of executive survey respondents say the business community and political authorities in their home countries are well-prepared to address systematically the causes of insecurity.
- While businesses and political authorities put those efforts in place there are some immediate avenues companies can take to better address the threats they face.
- Education. There is growing recognition of the need for education efforts—both internally, among employees whose buy-in is important to make a security program effective, and externally, so the public becomes savvier about threats. This is particularly true of cyber security.
- Cooperation and joint efforts. Interviewees say that in pursuit of greater cyber security, cooperation among public organizations and private authorities has greatly increased in just the last few years. This shift, along with the development of alliances and forums for information sharing, indicates that threat information and response tools are being deployed more effectively. In some instances, cooperation now occurs almost in real time in response to attacks or incidents. Organized action in which multiple players come together with a plan to address points of vulnerability are also getting increased attention from corporate leaders and cyber specialists.
In addition, supporting cooperative forums by corporate leaders and fostering cooperation by encouraging "cyber security managers to share information about breaches and attacks outside their own enterprise in real time when necessary to respond to an incident" are essential components to a strong security program.
I strongly agree that "the need for better employee training has been embraced, but education of the public in cyber safety best practices has a long way to go." And businesses that communicate with their customers, "especially in transactions that involve payments or sensitive data, have a special opportunity to educate those customers in better security practices."
Lastly, on the topic of improving device security, the report is correct to note that "the need to get consumer device makers to implement more robust security protocols is urgent as the Internet of Things proliferates. Business and internet leaders should encourage discussion over how best to make that happen."
Aaron Rose is a board member, corporate advisor, and co-founder of great companies. He also serves as the editor of Solutions for a Sustainable World.