Credit: janews / Shutterstock
Cyberthreats are no longer exceptional events but a normal part of doing business. In 2024 alone, hackers disrupted political campaigns, held health care data for ransom, and stole personal information from hundreds of millions of customers.
Despite the rising frequency and sophistication of incursions, we haven’t yet seen the “big one” — a cyber Pearl Harbor. The U.S. power grid still stands. No cyberattack has triggered an economic meltdown. And the 2017 assault on A.P. Moller-Maersk, which crippled global shipping and shut down the Port of Los Angeles, was only a glimpse of possible destruction.
But the absence of such a catastrophic event doesn’t mean it won’t happen or that your organization is safe.
Today, leaders face a dual challenge: strengthening defenses against everyday threats while preparing for a potentially devastating attack. Large corporations grab headlines after breaches, but small and medium-sized enterprises (SMEs) face greater vulnerability. Cybercriminals increasingly target SMEs with staggering costs. Roughly 60% of small businesses fail within six months of an attack.
To address this imperative, our research group, Cybersecurity at MIT Sloan, has identified and is working on five critical priorities that demand your attention:
Cybersecurity risk management
The first step of risk management involves measuring your organization’s cyber risk both quantitatively and qualitatively. Evaluate its cybersecurity posture by assessing its vulnerabilities, attack frequency, and the potential impact of breaches. You can’t manage what you can’t measure.
Consider, too, how your organization handles this risk, whether passively or dynamically. These insights can help determine which mechanisms, like catastrophic bonds or cyber insurance, will best transfer and mitigate your organization’s cyber risk.
With limited resources, SMEs attract cybercriminals. Therefore, all leaders should closely monitor their supply chains, evaluate the entities they depend on, and ask, “Will we remain operational if they’re attacked? How will their challenges affect us?” Remember, their infrastructure is part of your ecosystem.
Operational technology
“Operational technology” refers to computers that control physical systems, such as power grids and water treatment facilities, and managing OT cybersecurity requires a systems approach. With physical objects increasingly interconnected, you need to fortify your OT environment while staying alert to safety risks.
Roughly 60% of small businesses fail within six months of a cyberattack.
To illustrate, consider that the everyday smart devices in your home — your smart toothbrush and TV — are vulnerable to hackers. One real-world example involved an internet-connected refrigerator meant to monitor food and temperature that was hijacked to distribute inappropriate content over the internet. This wasn’t a sophisticated intrusion; it was the result of basic security oversights.
The lesson is clear: If your organization focuses on optimizing individual components of physical systems without considering the overall landscape, things fall through the cracks. Vulnerabilities can become life-threatening when infrastructure like water systems, electrical grids, or hospitals is involved.
Cybersecurity governance
Your company’s board of directors is responsible for providing guidance and oversight on cybersecurity risk, yet its members are often underprepared. Training helps, but bringing in cyber experts may be more effective. Proposed Securities and Exchange Commission rules requiring “periodic disclosures of the board of directors’ cybersecurity expertise” make this more pertinent.
Governance should extend beyond the boardroom as well. The insurer Liberty Mutual, for instance, employs a “cybersecurity evangelist” to embed cybersecurity practices into daily operations. Meanwhile, the CEO of C6 Bank in Brazil begins weekly all-hands meetings by sharing a cybersecurity story or inviting an expert to speak. This approach signals to everyone in the company that cybersecurity matters.
Cybersecurity resilience
Protecting against cyber breaches is vital, but achieving 100% security isn’t realistic — especially as artificial intelligence introduces risks like deepfakes and manipulated data. The solution? Leaders must shift their mindset from prevention to resilience.
This mindset involves asking “What if?” and “What’s our plan B?” It’s about protection and creating mechanisms to minimize data loss, financial impact, and reputational damage from potential cyberattacks. This requires thorough planning, efficient processes, and regular testing through tabletop exercises. You’ll never face the exact situation you prepared for, so building response skills is key.
Another component of resilience is having a crisis communications plan. While continuity plans often exist for scenarios like hurricanes and other disruptions, cyber crises are different. The information flows you’d normally rely on to alert stakeholders may be compromised. For instance, if ransomware blocks your email, how will you reach your ecosystem?
Cybersecurity culture
Related Articles
Cybersecurity must be a shared responsibility across the organization, with everyone — from entry-level employees to members of the C-suite — playing a role in keeping the company secure.
The goal is to build values, attitudes, and beliefs — which we define as culture — that drive cybersecure behaviors. This goes beyond training or making employees sit through those educational videos once a year. Leaders can change behaviors through storytelling (see above) or incentives. Some companies we have studied reward employees for cybersecurity best practices with swag, badges, and gifts. And managers use team dashboards to create friendly competitions that promote cybersecure attitudes and behaviors.
The point is that all employees can improve their organization’s cybersecurity. Investing in more protection alone is insufficient. It’s a team sport today, and everyone must contribute.
is a professor of information technology and founding director of Cybersecurity at MIT Sloan. Former CAMS executive director is a principal research scientist and a senior lecturer at MIT Sloan. is the director of CAMS and a principal research scientist at MIT Sloan.
