Why cybersecurity should be on the ESG agenda

In a digital-first world businesses, governments, and society depend on the availability, reliability, and functionality of technology. In the cyber ecosystem, organisations have a duty to ensure that their networks and resources are protected and used for good, not malicious, purposes. This is why cybersecurity should be part of an organisation’s ESG posture.  

In a recent conversation among IT professionals, the classic question was posed: “What is keeping you awake at night?” The conventional answer is “security” but, on this occasion, someone interjected: “No, it’s not security. It’s ESG”.  

They were referring to the pressure coming from the executive and board level to reduce the environmental impact of the IT estate and infrastructure. Energy consumption, carbon emissions, and raw materials in hardware are all factors under consideration as businesses aim to pare back their environmental burden. While these are undeniably important, there is also a strong argument that cybersecurity should be seen as an ESG issue. The considerable impact cyber attacks, network intrusion, and data breaches can have across each of the three pillars means cybersecurity should also be viewed through an ESG, as well as an operational lens. 

Environmental effects of cyber attacks 

The attributable environmental impact of a cyber attack depends on its type.  

Increasingly, malicious actors are targeting operational technology related to manufacturing plants and civil engineering sites. If a manufacturing facility or public utility loses access to its waste management or mechanical control systems (as was attempted in the Iranian-led 2013 Bowman Avenue Dam breach), considerable environmental damage could result from deliberate waste or water release. This is a growing risk as smart buildings and Industrial Internet of Things (IIoT) become increasingly commonplace. Poor cybersecurity around these technological innovations poses an environmental and social, as well as operational threat.  

On a less immediately damaging, but still notable, scale cybersecurity weaknesses can lead to an organisation’s endpoints and/or servers being recruited for illicit purposes. Cryptojacking is a common problem, with an estimated 5.1 million cryptojacking hacks in the first half of 2021 alone. It  sees an organisation’s computing power siphoned off to conduct crypto mining at no cost to the perpetrator, but significant cost to the victim. A recent court case saw an ex-AWS employee convicted of planting crypto-mining software in various corporate environments, including Capital One, after developing a tool that discovered misconfigured accounts that were vulnerable to intrusion. When devices are infected with cryptomining software energy consumption is increased, raising the device owner’s carbon footprint, and device performance is compromised, reducing productivity. 

Web mining currency – whether illicit or not – is an environmentally damaging activity due to the massive power consumption involved. A report in Business Insider noted that University of Cambridge researchers estimate that Bitcoin uses 132.48 terawatt hours annually, which is more than the annual energy consumption of Norway.  

Apart from the energy aspect, by unwittingly enabling cryptomining, the organisation is channelling cryptocurrency towards someone willing to hack your system to obtain it, meaning the funds are unlikely to be used for altruistic purposes. 

Social impacts – from data theft to enabling nation-state activity 

The rise of home and hybrid working has considerably increased the attack surface for malicious actors aiming to infiltrate companies and steal data. Employees are now accessing the organisation across home and public networks, often using personal devices outside corporate control. If the business fails to implement tools to protect data in the distributed environment, the risk of a successful attack increases. Once threat actors have breached defences, they can extract valuable data and IP to offer for sale to the highest bidder.  

On top of the direct threat of theft, the business can also find itself an unwitting participant in attacks on its partners and suppliers. The technique of “island hopping” sees adversaries scanning a target’s network of partners and suppliers to identify security weaknesses. After infiltrating the weakest link, the threat actor hunts for trusted connections between the two organisations to use to gain access to its target. This can be as simple as hacking the email account of a supplier organisation and launching a phishing campaign. It can also be more complex: the devastating Notpetya malware was originally seeded onto the server of an accountancy software firm in Ukraine from where it spread worldwide. 

Insufficiently secured endpoints may also be recruited to botnets, which are used to conduct distributed denial of service (DDoS) attacks that cause disruption and, potentially, destruction to businesses, public sector organisations, and even governments. On the first day of the Russian invasion of Ukraine, Ukrainian government communication systems were targeted by a massive DDoS attack aimed at crippling them. By failing to protect endpoints effectively, your organisation could find itself an unwilling accessory to devastating attacks with severe consequences. 

In terms of real-world social consequences, few are more immediate than when an organisation suffers a ransomware attack. Their frequency has grown exponentially over the past two years and attacks have led to serious consequences – there have been several cases where attacks on hospitals have been cited as relevant in the death of patients. 

Faced with an attack, many organisations feel they have no alternative but to pay the ransom, thereby putting money into the coffers of cybercriminals (usually in the form of cryptocurrency, which as we’ve seen, has a huge eco-impact). This in turn encourages more attacks – especially on those organisations that don’t act to improve cyber defences.  

The US government is attempting to stem the flow of cash to criminals. In 2020 the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) announced that it is illegal to pay ransoms in most cases. Its rationale is that monies paid may be used to fund anti-US terror activities; that payment doesn’t guarantee the return of data, and that payment acts as an incentive for further attacks.  

However, this doesn’t always translate to reality – especially when the stakes are high. The Colonial Pipeline ransomware attack in May 2021 saw CEO Joseph Blount authorise a payment of $4.4 million in Bitcoin to restart operations at the major fuel provider. When news of the pipeline’s shutdown broke, the result was widespread fuel shortages driven partly by consumer panic-buying. This illustrates the social impact cybersecurity weaknesses can have.  

Governance – boosting board cybersecurity and oversight as part of ESG 

Data governance is a critical element of governance responsibilities; information about customers, partners, and trade secrets is some of the most valuable a business owns. It is also a significant source of risk because it is relentlessly targeted by cyber criminals. A data breach – whether malicious or unintentional – can lead to loss of trust, reputational damage, legal and financial consequences of breaching data privacy regulations. Loss of customers’ personal data can also cause considerable distress as a result of identity theft. 

As well as being responsible for oversight of compliance with privacy-related regulations such as GDPR and CCPA, boards and governance teams are also likely to find themselves the direct target of cyber attacks due to the privileged nature of the information they share. Phishing attempts, business email compromise and network intrusion targeting board materials are all commonly faced threats that put the onus on organisations to prioritise board security. 

This means ensuring directors, executives, and governance teams are supported with technology that enables collaboration without compromising cybersecurity. Diligent’s board and leadership collaboration software provides a fully secure, central location for the preparation, sharing and management of board materials. It is supported by a secure communications channel that is protected from the inherent weaknesses of email and other communications platforms, reducing the potential for inadvertent data loss or malicious theft attempts.   

Building cybersecurity into ESG programmes, and more… 

Cybersecurity touches all elements of ESG, while also being a critical aspect of risk and compliance positioning. As such, it should be incorporated into a unified approach to gaining visibility over all aspects of ESG, risk and compliance, with the facility for key information to be rapidly escalated to board level.  

In recognition of the need for boards to have visibility across all these areas, Diligent has expanded its suite of board collaboration, risk, compliance, and ESG solutions to enable seamless, connected, and secure oversight. This empowers boards to lead with purpose, vision and confidence.