The growing threat of cyber attacks has captured the attention of governments and boardrooms worldwide.
They have a shared interest in tackling the myriad established and nascent online threats. These range from espionage – the theft of intellectual property through spyware – to sabotage, through the import of malware to their systems.
Cyber security – protecting computers, data, networks and programmes against unauthorised access or attack – is a growing financial investment for companies.
Why does cyber security matter to business?
Vulnerability to cyber attack exposes companies to material and intangible losses. Sandor Boyson, a professor of supply chain management at the University of Maryland’s Smith School of Business, cites estimates that US companies lose intellectual property worth hundreds of billions of dollars to cyber crime each year.
“Private companies have become more aware of their vulnerability [and] realise that they cannot just wait for government to act,” says Frank Cilluffo, director of the Homeland Security Policy Institute at George Washington University.
There is also the matter of corporate governance. David Upton, professor of operations management at the University of Oxford’s Saïd Business School, says corporate boards must be held to account by shareholders for cyber-related losses.
How are businesses vulnerable to attack?
For Eric Johnson, associate dean at Dartmouth College’s Tuck School of Business, a concern for companies is “spear phishing” – sophisticated attacks that target one individual and are directed from a trusted source. Attacks are only successful, however, when victims take the bait.
Companies’ IT procurement should also be subject to greater scrutiny, Prof Boyson argues. “In some companies, there is literally no governance of risk in their [IT] supply chain.”
Threats to companies can be internal, as well as external. Though insider breaches are grossly underreported by companies, Prof Upton says, the threat level posed by knowledgeable insiders is “huge”.
Why are business schools engaging?
Ingraining the importance of cyber security in business leaders is considered a priority at a number of institutions. “Business schools, in my view, have a responsibility to teach cyber security to their students to protect companies,” says Prof Upton.
Although technical fixes can be developed and deployed easily, the weak link is often the individuals involved, according to Terry August, professor of innovation at the Rady School of Management, University of California, San Diego. “For most attacks, patches are available … how do we therefore incentivise people and companies to deploy them?”
What are business schools doing?
An increasing number are collaborating with fellow university departments on cyber security programmes and research.
The Smith school has teamed up with Maryland’s engineering and public policy schools to launch a part-time graduate certificate in cyber security leadership. George Washington University School of Business has collaborated with peers at GWU to deliver a specialised cyber security track on one of its MBA programmes.
The University of Oxford Cyber Security Centre unites academics from across the institution, including Prof Upton. His research on corporate insider threat detection involves collaboration with psychologists and criminologists.
Business schools are an integral part of collaboration in this field, Prof Upton argues. “It is business, after all, that ultimately has to implement cybersecurity measures.”