According to Forbes, cybercrime costs are projected to reach $2 trillion by 2019. Global investors lose billions of dollars to cyberattacks, as per CNBC’s coverage.

For example, The Guardian reported massive cyberattacks could cost Nurofen and Durex maker $100 million. Fortune Magazine also reports that cyberattacks cost companies $400 billion every year. Cyberattacks cost companies 20 percent of their revenues in 2016, according to economictimes.indiatimes.com. Statistically, these figures might sound theoretical, but someone is directly feeling the heat. The shareholders remain the direct beneficiaries of the traded organization’s prosperity, but they are also the first victims of their woes. It’s high time investors pay attention to the warning signs and step up their efforts in ensuring companies adopt comprehensive cybersecurity programs and deployments.

Despite the flurry of global cyberattacks and incessant security incidents targeting organizations of various capacities in revenue, workforce, and international presence, some global firms continue to act in denial of the crushing impact of cyber attacks. Unfortunately, those that wait or hesitant are doing so at their peril. Hackers are working around the clock trying to figure out how to crack your password, get inside your demilitarized zone, and tear apart your firewall, all while many companies spend months or years without a cogent decision on their cybersecurity program. This leaves them, and their shareholders, at the mercy of hackers. Why are companies hesitating to invest in comprehensive cybersecurity programs that ensure a defence-in-depth of infrastructure, protecting the “lifeline” of their enterprise?

Organizations globally are facing difficulty in protecting their critical infrastructure and in dealing with the complexity of unknown or anonymous perpetrators. Organizations must deal with two “demons” of our time — innovation and technology. I discussed this in my article Security in the World of Wiki-Leaks. The advancements are beneficial to the world, but they also create potential security gaps and vulnerabilities. Therefore, the onus is strictly on security-conscious organizations to prevent, detect, and correct vulnerabilities that might be exploited by threat agents.

Just recently, Bell Canada requested all their subscribers to reset their passwords because of a cyberattack targeting its customers. Nothing was said about the cost to all stakeholders. While we may not know the absolute costs of such cyberattacks, it’s safe to guess that the damage can be severe. The impact of Bell Canada’s security incident is not unique; LinkedIn, Visa, MasterCard, Proton, Google, Facebook, Yahoo, Trump Tower, government agencies, and many others have been served cyberattacks.

Traditionally, investment decisions were made by measuring an organization’s sustainability and investment viability relative to its profitability (bottom line), but nowadays, in addition to the organization’s prosperity, investors must also consider the state of a company’s cybersecurity and its exposure to threats and hacking. For due diligence and investment protection, here are the ten questions to consider to evaluate the extent of an organization’s vulnerabilities to cyberattacks.

  • Does the organization have a comprehensive cybersecurity program?
  • Are all IT-related applications and systems up to date?
  • Does the organization have resources dedicated to IT/IS security?
  • Has the organization aligned its cybersecurity policies with the overall corporate business objectives?
  • Has the organization invested in security in proportion to its risk exposure and tolerance?
  • Is there any record of recent cybersecurity attacks? What was the response by the management?
  • Does the organization have a comprehensive cybersecurity policy?
  • When was the last time an audit was carried out on the cybersecurity compliance, and what were the findings?
  • Have the executives and senior management prioritize the cybersecurity program with the evidence of sufficient funding and organizational structure?
  • Is there an executive position for the security leader?

Depending on the size of your investment, consider hiring the services of a cybersecurity expert to investigate past cybersecurity attacks, or to determine the possibility of imminent cyberattack, threats, or vulnerabilities that might jeopardize your investment. Second, equip yourself with at least basic knowledge of cybersecurity. Third, understand the investment the company is making, or has made, in response to a comprehensive cybersecurity and deployment program. Fourth, create time to attend cybersecurity conferences where new threats, global best practices, and solutions are discussed. Finally, remember, your due diligence can never be over-ambitious when your money is at stake.