Cyberattacks are costly, and they appear to be broadening in scope. Until recently, financial companies and governments were the primary targets of cybercrime. No more. The WannaCry and NotPetya ransomware attacks of 2017 affected companies in a wide range of industries. Earlier this year, the discovery of the Meltdown and Spectre vulnerabilities on computer chips showed that cyber risks occur not just in software but in hardware, too. All of these factors point to the reality that a growing range of companies will need to do much more to protect themselves.
In recent global survey by McKinsey, 75 percent of executives said they consider cybersecurity a top priority. Yet only 16 percent said their companies are well prepared to withstand cyber risks. Merely spending more is unlikely to help. McKinsey research on 45 Fortune 500 companies found a weak relationship between how much they spend on cybersecurity as a proportion of their overall spending on IT, and how sophisticated their programs are.
What does a robust cybersecurity program look like? Our experience suggests that leading companies are working toward a state of digital resilience, in which they design their business processes and their information-technology systems to facilitate the protection of critical information and to implement strong cyberdefenses and effective plans for responding to cyberattacks. The following seven practices are essential to achieving digital resilience