YOU DECIDE TO STEP OUT FOR LUNCH with faculty colleagues. You coordinate plans via your Verizon cell phone after first using Windows 10 on your laptop to look up your LinkedIn contacts. You debate going to Wendy’s, but decide to try Noodles & Company instead. You stop for cash at the ATM, then settle in at the restaurant to enjoy a steaming bowl of pad thai. You are probably unaware that each company and network you accessed during your outing was a victim of a major data breach announced during one two-week period in 2016.
Almost every day seems to include a news story about a data leak that impacts thousands—sometimes millions—of companies and consumers. Your one lunch excursion could set you up for identity theft for months or years to come. You feel less anxious about the threat because you know that corporations typically offer free credit monitoring to customers whose data is breached, and you know that the big-three credit bureaus would have your account on a security alert. That is, until you realize that Equifax, one of those credit bureaus, also reported a major leak in the same two-week timeframe. One of the other three, Experian, had a breach the year before.
Many people believe identity theft is limited to a small number of unlucky consumers. But 15 million people had their Social Security numbers stolen from Experian, and 40 million Target customers saw their credit information sold on the black market. These days almost any issue of The Wall Street Journal or Bloomberg Businessweek highlights a security breach and the havoc it has wreaked on a company, nonprofit, or government agency. Antivirus company McAfee estimates that 0.6 percent of the U.S. GDP is attributable to cybercrime alone, and America is nowhere close to being the global leader in this nefarious and burgeoning industry.
No sector is immune to cyber threats. The fallout for a company may include plunging stock prices, distrust of top managers, and news stories about how corporate carelessness led to elderly grandmothers losing all their savings. More repercussions can follow if stakeholders and the media start asking questions about operational data integrity, imperfect cybersecurity, and other vulnerabilities.
And, yet, even though cybersecurity is a growing concern to businesses, it still is not a mainstream subject at business schools. We argue there are three reasons business schools should care about cybersecurity. First, business students themselves may be the targets of cybercrime even before they attend freshman orientation. A study from Carnegie Mellon revealed that roughly 10 percent of children are victims of cybercrime, and that children are 51 times more likely than adults to be victimized.
Second, the exponential growth of hardware and software technology has combined with a seemingly unquenchable demand for mind-boggling amounts of data, and virtually every discipline in the business school is racing to incorporate big data into its curriculum. A great deal of data is being captured even though we have no current use for it—but storing it comes with increased risk of exposure to cybercrime.
Third and most important, cybercrime might be one of the greatest threats to economic stability around the world. Even so, most company leaders do not seem as worried as they should be. In 2015, the Ponemon Institute, a consultancy firm that focuses on privacy and security, conducted a global impact study that compared the financial risks for tangible and intangible assets. Of the companies in the study, 37 percent had experienced a data security breach in the previous 24 months, with an average total impact of US$2.1 million. Yet only half the firms indicated they became more concerned about cyber liability.
Along the same lines, a 2016 study by accounting firm PwC found that only 37 percent of firms have created a cyber incident response plan and fewer than 50 percent of board members request information about their firm’s cyberreadiness.
PwC also compiled a list of the most common economic crimes, and these included asset misappropriation, bribery and corruption, procurement fraud, and accounting fraud. But cybercrime is now No. 2 on PwC’s list of the most-reported economic crimes, and all indications are that its cost will increase in coming years.
Technology has been incorporated into a vast new array of products and services, yet companies do not realize how vulnerable they are to cyber threats. Hackers have taken over a talking Barbie doll, a Wi-Fi enabled sniper rifle, and the transmission and braking systems of a 2014 Jeep Cherokee.
It is inevitable that, in the future, more and more products and services that have never before utilized network technology will begin to do so. Who will be overseeing the development, financing, production, marketing, accounting, and risk management of these products? Our business school graduates. They must be prepared to protect their own financial security, as well as everything they are responsible for in their careers—the products they work on, the cyber assets of their employers, and the information security of their customers.
Just as we have integrated sustainability, ethics, and global responsibility into our curricula, we now must incorporate cybersecurity. Business students do not need to become IT specialists who know how to program computer chips. But they must understand that whether they work in a one-person startup, a regional nonprofit, or a multinational conglomerate, their organization relies on technology, data, and connectivity. And it is vulnerable to cyber threats.
THE ROLE OF B-SCHOOLS
To gain a working knowledge of the risks posed by today’s ubiquitous technology, business students must become “cyber savvy.” They must understand the pervasive nature of cyber threats; the wide variety of potential attacks; the financial and operational impact of cyber breaches; the basic practices to employ to achieve cybersecurity, both personally and professionally; and the costs and benefits that come with providing robust security—or choosing not to.
Cybersecurity is important enough that it was recognized in AACSB International’s 2013 Accounting Standards. In particular, standard A7 calls for schools to develop skills that integrate technology into accounting and business, specifically through creating, sharing, analyzing, mining, reporting, and storing data. Each of these areas implicitly includes a significant cybersecurity component to ensure accuracy, privacy, and value of the outcomes. The standard was established for accounting programs, but it serves as an important guide for all business programs.
While each business school faces pressure to add topics to an already packed curriculum, cybersecurity is too important to ignore. Here are ways to include it in business programs:
Commit to the importance of cybersecurity. Two important steps are to incorporate cybersecurity into the mission and to appoint a champion.
Examine the core. The standard business core usually includes a computer competency class, which might cover a suite of office software and include a broad overview of information systems. At least one-third of this class could be redirected toward teaching critical and practical IT security concepts.
Embed relevant cases directly from today’s news. A major technology breach makes the news on at least a weekly basis. These news items will provide ample fodder for real-time discussions about the impact of cyberattacks.
Collaborate with colleagues across all disciplines. For instance, consider creating a class offered jointly by the MIS and accounting departments. Use it to explore the critical importance of data integrity, how it might be violated, what the resulting impact might be, and how to defend against threats.
Team with career services and recruiters. Corporations are aware of the importance of IT security and will embrace better-informed graduates entering the workforce. Consider beefing up cybersecurity efforts by finding private funding to support development, scholarships, and faculty training.
In addition to incorporating cybersecurity into the curriculum, schools can heighten awareness of the importance of cybersecurity if they take these actions:
Train the trainers. Make sure faculty understand the perils implicit in sharing passwords, overusing social media, and underestimating the vulnerability of technology.
Model good cyberbehavior. Do not ask students to share registration passwords with advisors just to make the process go more quickly. Do not give administrative assistants your system user credentials so they can process your travel requests. Overtly demonstrate the importance and benefits of following best practices in cybersecurity.
Encourage a cybersecurity mindset. Today’s students share some of their most private moments in publicly accessible places. Universities pride themselves on being bastions of freedom that provide unfettered online access. Make sure students and faculty understand the risks of these attitudes. A recent survey commissioned by Experian showed that 60 percent of companies with a data protection and privacy program believed their employees were not knowledgeable about security risks, and only 35 percent of responding employees believed that data security was a priority of senior management.
If business schools can help their students understand the importance of cybersecurity while they are on campus, graduates will be much more realistic about cyber threats when they are in the workplace.
NOT OVER YET
No matter how well they are prepared for cyberattacks, business graduates will inevitably find themselves dealing with security issues. They will quickly discover that identifying the breach is only the first step. As executives, they must be prepared for a great deal of scrutiny as investigators from a number of regulatory agencies knock on their doors to ask, “Why did this happen and who is responsible?” In the U.S., these agencies include the FTC, the SEC, the Department of
Health and Human Services, the Department of Defense, and the Secret Service—all of which, one way or the other, are charged with defending the security and privacy of American citizens. Other regulatory agencies will be involved when data breaches occur in other countries.
Additional stakeholders could come forward if there is a hack. These include investors and customers who might bring civil claims against a company, claiming fraud or abuse resulting from a failure to properly manage information systems. The media also will be quick to get involved, especially if the breach is big and reporters see the incident as a major news story. Business schools must prepare students not only for the breach, but for what comes afterward.
Like many other subjects taught in business school, cybersecurity is very much a bottom-line issue. It is concerned with managing costs, benefits, risks, public image, intellectual property value, customer relations, and equity. We must make sure students understand the consequences of incorporating technology into their products, services, and processes. The notion of cybersecurity must be integrated so thoroughly into our curricula that students practice it automatically in every aspect of their personal and professional lives.
Test your cyberintelligence. Take our Cybersecurity Quiz.