Preparing for the Coming Crisis in Cybersecurity

“The cat 5 hurricane has been forecast, and we must prepare.”  This was not a warning from the National Hurricane Center, but from Department of Homeland Security Secretary Kirstjen Nielsen, who was talking about the “urgent crisis in cyberspace” at a summit in New York earlier in the year.

Just as climate change is creating more unpredictable weather events, the rise of digital transformation among companies is heightening their exposure to cyber attacks. Worse yet, our in-depth analysis of companies around the world and across industries reveals that many are not properly prepared.

For example, about 9 out of 10 companies said that untrained staff posed the greatest cybersecurity threat to their business, higher than cyber criminals, social engineers, or hacktivists. Yet only 17% have made significant progress on training staff and partners in cybersecurity awareness.

Well over half the companies that we surveyed (57%) say that their top IT vulnerability is data sharing with suppliers, and they expect their third-party risks to skyrocket. Indeed, firms anticipate attacks through partners, vendors, and customers to grow by 247% over the next two years and attacks through supply chains to leap 146% over that same time period. But only around 30% of companies now use the latest third-party information security practices and related technologies.

Another major concern is that most companies are still in the early stages of cybersecurity maturity. As part of our research, we measured this maturity by having companies rate their progress in identifying cyber risks, detecting and protecting against intrusions and attacks, and responding to and recovering from these attacks. Based on our findings, 31% of companies are in the beginning stage, 49% in an intermediate stage, and only 20% are advanced. The percentages are even more disconcerting for small companies: 53% are still in the beginning stages. Given that small companies are often important links in supply chains, their lack of cybersecurity doesn’t just expose them to greater risks, but also their corporate and government trading partners.

Despite better monitoring methods and metrics, most companies are still in the dark about the real costs of cyber attacks and the return they are getting on their cybersecurity investments. One reason is the difficulty of measuring indirect costs— such as productivity losses, business discontinuity, reputational damage, and opportunity costs—which can seriously hurt bottom lines. Another reason is the failure to account for the upside from better cybersecurity, which can include improving productivity (cited by 35% of companies), profitability (22%), corporate reputations (18%), competitive positioning (16.2%), and customer engagement (11%).

With cyber risks slated to multiply as digital innovation accelerates, companies need to do a better job in measuring the impact of their cybersecurity efforts so they can to understand where to best make their investments. To truly drive the digital future, they must secure it first.

For more information, visit our page outlining The Cybersecurity Imperative.


ESI ThoughtLab is the thought leadership arm of Econsult Solutions, Inc. ESI ThoughtLab provides fresh ideas and evidence-based analysis to help business and government leaders cope with transformative change. We specialize in analyzing the impact of technological, economic, and demographic shifts on industries, cities, and companies.


Lou Celi is Founder and CEO of ESI ThoughtLab. During his more than 35 years of research, marketing and publishing work, Mr. Celi has helped top organizations build their businesses by engaging corporate and government decision makers. Prior to setting up ESI ThoughtLab, Lou was board director and president of Oxford Economics, where he built the firm’s successful business in the Americas and set up its global thought leadership practice.