CEOs must make cyber security a top priority or their businesses could fall victim to industrial espionage similar to recent cyber attacks on such large companies as Rolls-Royce and Royal Dutch Shell. That's the conclusion the report Cyber Attack: A Risk Management Primer for CEOs and Directors released today by the British-North American Committee (BNAC) and the Atlantic Council of the United States, a U.S. sponsor of the Committee.

The one global Internet, for which the Internet Corporation for Assigned Names and Numbers (ICANN) coordinates addresses, makes possible about $2.8 trillion in global e-commerce annually.

"As enterprise on the Internet has become more sophisticated, so have cyber criminals," said Dr. Paul Twomey, ICANN's President and CEO, and one of the report's main authors. "The message of this report is clear -- senior government figures and leaders of corporations need to make cyber security a personal priority."

The report calls on CEOs and corporate directors to take actions to protect their businesses and organizations from cyber attacks. It identifies information security threats, and most commonly made mistakes in data security and provides recommendations for business and corporate leaders to manage cyber security risks.

"We live in a completely different environment wherein people and businesses are dependent on technology and the Internet and while this helps us run [our] companies better, we need to realize that there are corresponding risks and threats. Cyber security is therefore critical to the success of every enterprise," said Frederick Kempe, Atlantic Council president and CEO and a BNAC member. "It must be an integral part of every CEO and directors thinking and planning."

"This report is a timely reminder to all organizations -- large and small, public and private -- of the need keep up with best data security practices. The risks are very real but help is at hand," said Clive Mather, until recently president and CEO of Shell Canada and a BNAC member.

Among its recommendations, the report urges CEOs and directors to:

  • Establish a comprehensive information security policy, implemented by senior management;
  • Hold a company-wide security audit to expose vulnerabilities and strengths and give a complete picture of an organization's security requirements;
  • Underpin a robust security culture with frequent and rigorous testing; and
  • Prioritize keeping abreast of changes in security technology and best practices, including through participation in relevant international information security organizations.