CEOs need to step up to the plate
We are well aware that we live our lives within the digital economy. Facebook and other social media platforms have become meeting places. Chatrooms replace the weekly visit to the therapist and companies such as eBay and Amazon make it conveniently easy to becomes a self made social pariah and not deal with people on a daily basis.
Even online gambling is eating away at the profits of Las Vegas and Sun City. Although, this is something that my wife says must stop. Little does she know…
But have we created a monster? Has the digital economy become so big that we cannot keep pace with its growth? This is a major concern that was discussed in a recent report released by Accenture titled Securing the Digital Economy: Reinventing the Internet for Trust.
Without trust, what do we do?
The report points out that without trust, the future of our digital economy and its nearly limitless potential is in peril.
Piecemeal efforts to address cybersecurity issues—including the Internet’s inherent flaws, vulnerabilities from the Internet of Things (IoT), identity and data veracity and increasing digital fragmentation—have fallen short. Through their decisions above ground on industry-wide governance and their business architecture and technology infrastructure below ground, however, CEOs can have the influence necessary to collaboratively address these overarching issues.
Many of the issues affecting today’s Internet are due in part to its rapid growth in both users and applications. The entire digital economy is now dependent on the Internet. At the same time, while businesses, individuals and societies are increasingly connected, those connections are also becoming more complex.
The reports adds that, in 2007, there were 1.2 billion Internet users. In 2017, there were 4.2 billion—more than half of the global population. The number of IoT-connected devices will likely reach 25 billion by 2021. And by 2024, Long-Term Evolution (LTE) networks (also called 4G) will cover an estimated 90% of the population, with 5G networks covering about 40%.
The report points out that handling these connections requires more lines of code, more data and more capacity. Without a more resilient and trustworthy Internet, a single breach can have serious, cascading effects.
For example, the 2017 NotPetya cyberattack cost Maersk more than $300 million, and the damages to all other companies affected totalled more than $10 billion.
The reports adds that, against this backdrop, with computers and networks so deeply embedded in critical infrastructure such as water supply and public health systems, the risks to both the economy and public safety are high.
Consider the impact of the 2017 WannaCry cyberattack on the United Kingdom National Health Service (NHS). It led to the cancellation of 19 000 appointments and the diversion of ambulances, and ultimately cost almost £100 million. Yet 79% of our respondents reported that their organization is adopting new and emerging technologies faster than they can address related security issues.
Even as 68% of CEOs report that their businesses’ dependence on the Internet is increasing, they acknowledge that their confidence in Internet security, already low at 30%, will drop even lower if nothing changes to improve it.
The report points out that, in the next five years, the confidence level in the Internet is forecast to drop to 25%, while dependence on it is assumed to remain at 100%. Nearly 80% of the S&P 500 companies in our analysis have also mentioned cybersecurity initiatives during recent earnings calls.
Five years ago, that figure was just slightly more than 50%. As the Internet’s fault lines are becoming more apparent, companies are trying to build trust equity and are publicly discussing ways to do so. However, only a relatively small percentage of companies are willing to openly discuss breaches— an above-ground issue that CEOs need to address.
The Internet Just Can’t Keep Up.
The report asks an important question, how did today’s problems of Internet security originate?
The report points out that the Internet was not initially designed to address issues like perpetually increasing levels of complexity and connectivity. It was developed to enable high levels of data sharing, which requires trust.
Researchers during the Cold War aimed to build a trusted communications network underground that could withstand a nuclear attack. Their concerns did not include preventing cyberattacks, largely because modern forms of cyberattack did not exist at the time.
The report adds that, as the Internet evolved from a military asset to an open infrastructure, security considerations, such as they were, focused on preventing physical failures. Today, many of the base Internet protocols—the set of rules embedded in code so all machines on a network or series of interconnected networks “speak” the same language—are unfit for current demands and are insecure.
This has led to increasing challenges below ground that CEOs should address. Consider the Border Gateway Protocol (BGP), a protocol that has been in use since 1994. BGP routes traffic through cables and connections among services providers, countries and continents. But BGP traffic is vulnerable in transit. In 2017, traffic to and from 80 Internet service providers (ISPs) was briefly routed to an unknown Russian operator, showing how easy it is to reroute information, whether intentionally or accidentally.
Other systems widely utilized on the Internet, such as the Domain Name System (DNS) and the Public Key Infrastructure (PKI), which underpins much of the encryption utilized on the Internet today, are similarly vulnerable to potential attacks.
So how do CEOs go about improving the digital economy?
The report points out that, first, CEOs can take the lead above ground in Internet governance. Of our C-level respondents, 90% agree that more secure transactions will not only benefit businesses, but also consumers, government and other stakeholders.
It’s in the enlightened self-interest of large businesses to extend themselves to help build a
secure Internet. To do so, CEOs should collaborate with other top executives and also, where possible, with governments and regulators.
The report points out that one venue already dedicated to this goal is the World Economic Forum’s Centre for Cybersecurity.
Launched in 2018, the Centre seeks to bring partners from “business, government, international organizations, academia and civil society to enhance and consolidate international security.”
The report adds that many companies are discovering firsthand that they can’t address Internet security alone. Our survey found companies that have experienced 50% or more of their breaches from indirect attacks—targeted at their organization but initiated through partner organizations are more likely to join or lead efforts to ensure the trustworthiness of the Internet economy.
However, no organization should need a “wake-up call” to join an effort that results in effective guidelines and standards and influences the development of smart regulations. When leaders realize that prioritizing a trustworthy digital economy is a win-win situation, businesses, consumers and governments will all benefit through collaboration.
Be Proactive with Principle-based Standards.
The report points out that CEOs should not wait for another source to produce an ethical guide or related, principle-based standards.
Choosing to proactively propose their own business-relevant, principle-based standards is a more expeditious path. CEO guidance can, in fact, influence regulators to put in place standards that can apply to existing and future technologies instead of myriad detailed rules specific to each new technology development. For example, two-factor authentication to access banking services was already the industry standard in several markets before European regulators required it.
The report adds that, CEOs—especially those of device manufacturers, digital platforms and software and telecommunication providers—are uniquely positioned for this more business-friendly approach and have a responsibility to discuss design security standards for the following:
- Devices to ensure product transparency, the ability to make software updates and successful pre-release testing and basic offline functionalities;
- Data to limit unnecessary data collection or usage,15 anonymize data, enable users to control their data and make it clear to customers that their data is being stored and used responsibly;
- Algorithms to ensure transparency, auditability and fairness;
- Networks to help ensure secure connection to consumers, help them in device configuration and inform them about infrastructure infections; and
- Protocols to provide authentic routing information and reduce domain name hijacking.
Promote Consumer Control of Digital Identities.
The report points out that advocating for individual control of data is more than a good public relations move. Of our C-level respondents, 86% say that their organization’s access to digital identities is important to its ability to offer innovative customer solutions. And 87% of C-level respondents recognize that customers should have the right to decide how to help secure their digital identities.
Maintaining the trust of customers and protecting their digital identities is paramount to the growth of the digital economy. CEOs can’t afford to stay out of above-ground debates that are already starting to take place.
The report adds that regulators are discussing how countries and regions must protect people’s digital identities and users themselves are becoming increasingly concerned about their online privacy. In the United States and Europe, lawmakers have already proposed or enacted regulations over consumer data privacy and Internet security.
The report points out that there are two models of digital identity that CEOs should consider as influential in the discussion. In a centralized system, a single organization establishes and manages the identity system. For example, with Estonia’s e-identity system, citizens are able to provide digital signatures and access a range of services using their ID cards (which have encrypted chips), Mobile-IDs (in which people use a phone) or Smart-IDs (which require only an Internet connection, no SIM card).
The report adds that, as the Estonia example demonstrates, centralized systems can be built with specific purposes in mind to give controlling organizations such as governments the ability to vet identity data.
The alternative model is decentralized and requires the contribution of multiple entities. Its governance is more challenging unless clear rules are in place and identity can be ascertained—for example, by using blockchain technology.
As the World Economic Forum noted in a September 2018 study, whatever model prevails, digital identities are deeply embedded in daily activities, leading to greater complexity and responsibility. One thing is clear: There will be mounting pressure for control over personal identity data to gravitate toward individual users. Educating customers and the general public about how to protect and use personal information shouldn’t be overlooked. Being a champion of privacy and responsible management of digital identity combines sound business and corporate citizenship practices.
Commit to sharing information about cyberattacks.
Help Reduce the Stigma. Of our survey respondents, 85% already keep a careful eye on the latest security issues emerging in the Internet economy.
The report points out that increased transparency will make those efforts more valuable. With the heightened scrutiny on the response to cyberattacks— whether they are far-reaching or not—in the long run, transparency will build trust with everyone from suppliers to customers.
Otherwise, businesses run the risk of encountering “trust incidents,” which the Accenture Strategy Competitive Agility Index shows can have a negative effect on the bottom line. To reduce the stigma from encountering these trust incidents, leaders can commit to sharing information about successful attacks and breaches.
The report adds that when a company is willing to acknowledge an attack, it paves the way for more transparent work with other organizations and experts, improving their ability to resist new attacks and boosting data reliability. Consider this: In 2018, UK-based BT created an online portal, the Malware Information Sharing Platform (MISP), to share information about malicious websites and software with other Internet service providers—a pioneering move for a telecommunications major. It went on to sign a deal with Europol to share knowledge about cyberthreats and attacks.
“This report was a real eye opener for me. The fact that we continue to be so reliant on the internet, yet have very little trust in it, shows that major changes need to be made. CEOs need to step up to the plate,” says GTconsult Co-Founder and CEO Bradley Geldenhuys.