In an article on how companies should think strategically about cybersecurity – Hit or myth? Understanding the true costs and impact of cybersecurity programs – a group of McKinsey authors ask some key questions about the decisions companies need to make when putting a strategy in place. They ask:

• which types of threat are most relevant?
• which data is most at risk?
• how much should you be spending on protecting critical data?
• what are the non-technical ways to protect data?

The article also looks at these four common myths executives tend to believe about cybersecurity:

Four common cybersecurity myths

1. All assets in the organization must be protected the same way

In fact, McKinsey's authors say that “not all data is created with equal value”. Some data is far more sensitive and valuable to a cyber criminal than other types of data. The article says: “Companies don’t have endless resources to protect all data at any cost, and yet most deploy one-size-fits-all cybersecurity strategies”. It's important for companies to provide differentiated protection for company assets, with a tiered hierarchy of security measures. Ask yourself if your IT security is protecting data that is already in the public domain, or data that is of no possible use to a criminal organisation.

2. The more we spend, the more secure we will be

Surprisingly, McKinsey found that the amount companies spend on cybersecurity does not necessarily correspond to the level of protection they achieve. This was partially because companies might be spending a lot but not necessarily protecting the right assets. The authors highlight the need for cybersecurity to be an organisation-wide effort involving close collaboration and prioritisation across the different company departments, from sales to IT to finance and customer-facing executives: “Business and cybersecurity leaders instead must come to a shared understanding of costs and impact and develop a clear strategy for funding cybersecurity programs.”

3. External hackers are the only threat to corporate assets

Most corporate treasurers and CFOs (if they read CTMfile often enough) will already be aware of the weakest (human) link in cybersecurity defence and the danger of an insider attack. In fact, 43 per cent of data breaches come from inside the company. McKinsey states: “The very people who are closest to the data or other corporate assets can often be a weak link in a company’s cybersecurity program – particularly when they share passwords or files over unprotected networks, click on malicious hyperlinks sent from unknown email addresses, or otherwise act in ways that open up corporate networks to attack.”

4. The more advanced our technology, the more secure we are

The authors basically argue there's no point in installing the best and latest cyber protection systems and software if employees aren't trained to adhere to certain safety protocols (eg., to avoid falling for a phishing scam). One obvious measure is to ensure all software is updated regularly but McKinsey points out that this often doesn't happen: “a patch covering the vulnerabilities that could be exploited by the WannaCry cryptoworm was released March 14, 2017 – some two months before the ransomware worked its way into more than 230,000 computers across more than 150 companies.”