Technology touches everything we, as individuals, do—as well as everything a company does. People, assets, processes, data; each bit is accounted for somewhere on the cloud, in a data center, or on a drive. According to the latest numbers, large companies (with more than 10,000 employees) use around 447 software-as-a-service apps on average, while medium and small businesses estimate that 45 percent of all software used is stored in the cloud. Each year, we adopt new technologies and accumulate more data. But by and large, we aren’t increasing cybersecurity to match this growth. The result is a massive increase in cyberattacks and data breaches.
In 2023, cybercrime cost companies an estimated $8 trillion globally. The average data breach cost an eye-watering $4.45 million to recover from. That’s a historical all-time high. But by 2027, the worldwide annual cost of cybercrime is expected to increase to a whopping $24 trillion. Calculations currently project cybercrime clocking in as the greatest transfer of economic wealth in history.
As threats increase, businesses of all industries and sizes are at risk. Currently, 46 percent of all cyberattacks worldwide affect businesses with fewer than 1,000 employees, while companies with fewer than 100 employees receive 350 percent more social engineering attacks, like phishing, than large companies.
“Everyone needs a cyber strategy—or, more accurately, cybersecurity needs to be a business strategy,” says Vanessa Lyon, global leader of cyber and digital risk at Boston Consulting Group (BCG). “Cybersecurity is a business problem, not a technology problem. Companies need to take an honest look and ask the hard questions about their risk: Is my client data exposed by myself or others? Are there any current threats? Are we prepared in case we are under attack? How should we recover our business processes? Where is my data? These are questions I'm sure not everyone can answer. And the answers have a direct impact on your business, your ability to operate, and your reputation.”
Lyon and BCG’s conversational AI agent, GENE, share their expert advice on what they think it will take to create a better cybersecurity strategy for 2025 and beyond.
Don’t Be Afraid of Risk
One reason that cybersecurity risks are so high and adoption of cyber strategies is so low is because the extent and types of risk associated with using the technologies currently available to us can be hard to understand, never mind mitigate. Step one is choosing to engage and learn. And that means everyone, not just chief information security officers (CISOs) and IT teams.
“Cyber strategy cannot be left to a small group of people,” emphasizes Lyon. “Often, we don't know who's in that club and what their biases are. It’s the same attitude you see taken toward gen AI and LLMs: We don't need to learn because they know everything. It’s the contrary. We need to understand how technologies work. If you drive a car, you don’t need to be an expert on how the powertrain works, but you need to have your driver's license. Company leadership needs to understand technology and bring tech teams to the table. Employees need to be trained in technology. As consumers, we all need to understand how technology works.”
Knowing everything that your business does with technology is the key to uncovering where any risk lies. As the (accurate) cliché goes: Knowledge is power. And if you don’t have the knowledge, that means someone else (read: bad actors) has the power. During one audit, Lyon and her team were helping the C-suite executives and IT decision-makers of a global shoe manufacturer assess their technology use, identify risks, and connect to build a cyber strategy. What they found was surprising.
At the manufacturer’s largest plant, nearly every step of the process seemed resilient to a cyberattack. Inventory could be taken by pen and paper. Shipments could be manually loaded. The production line could be manned by employees. Invoices could be prepared by hand and mailed out. It seemed that their manufactured process could be completely replicated manually or be easily recovered should a cyberattack happen. But then they found it. The weak link. The barcode scanner.
If the barcode printer went offline, stickers couldn’t be printed and not a single box of shoes could be distributed. The entire plant could be shut down if the barcode system went offline. Before the leadership and IT teams met for the audit, this wasn’t on anyone’s radar, even though a significant amount of money had been spent already to protect other systems from attack.
“People have these aha moments thanks to the dialogue of teams coming together,” says Lyon.
This ability to identify risks and then mitigate them accordingly can drastically cut down costs associated with residual risk after a cyberattack or data breach. It takes a company an average of 204 days to discover a breach, and up to 73 days to contain it. Time matters here. Companies that discover and contain data breaches in fewer than 200 days save more than $1 million on their bottom line when recovering. The long-tail costs of attacks and breaches can last years, with only 67 percent of the total cost of the recovery occurring in the first year.
Collaboration Is Key
Assuming more responsibility in understanding how the tech we interact with daily works is the foundation of strategies maturing and adapting to the ever-evolving challenges of cyber safety. It can also aid in a key issue cybersecurity is facing right now: increasing demand and a dwindling workforce. One study found that almost a quarter of CISOs and IT security decision-makers are considering leaving their roles, with 93 percent reporting overwhelming stress as the biggest issue. Trying to combat sophisticated cyber threats, such as AI-powered attacks, with limited budgets and fewer resources is a recipe for burnout, and the pressure security teams are feeling emphasizes the need for companies as a whole to work collaboratively on cyber strategy.
No matter how you parse it, cybersecurity ultimately relies on individual accountability and company-wide coordination. You must see the trees for the forest, and bring a big-picture perspective to a strategy before the details become clear. That requires tech, business, and risk teams to collaborate. And, as stated before, to not be afraid to identify risk.
“There is this virtuous circle: The more you are going to think about your risk, the more you are going to think about your resilience,” says Lyon. “The more you will be able to identify protection and solutions, and the more you understand how you can better allocate your resources for mitigation. You have a two-way street so you are better equipped. I'm not saying your future is going to be risk-free, but you are going to be better equipped.”
