For many organisations around the world, it increasingly feels like it's a case of when they fall victim to a cyberattack, not if they're targeted in a campaign by hackers.
These incidents are judged to be such an inevitability, that the World Economic Forum lists cyberattacks as one of the biggest issues facing the world as a whole.
Time and time again, cyberattacks have demonstrated the massive amounts of damage that can be done by hackers. This ranges from from ransomware attacks shutting down networks across the globe, to coordinated, stealthy malware campaigns that have caused huge data breaches and at some of the world's biggest companies.
Because of incidents like these, cybersecurity has become a board level issue – for most, if not all organisations, even if planning for some remains poor.
But while executives can talk about what might happen should they fall victim to attack, David Chinn, senior partner, at global consultancy firm McKinsey & Co, says it's not really possible to know how it feels to be a target of a major cyber-criminal campaign unless you've had the misfortune of experiencing it first hand.
"I was chatting to someone last week who's the board member of a manufacturing company that lost several weeks of production in a ransomware attack," he said, speaking at LORCA Live 2019, a cybersecurity conference at the Here East technology campus in East London.
"He said 'we talked about cyber, we did it a lot – we had what we thought were good conversations, but we just couldn't get it. We had no idea what we were talking about'."
He likened the scenario to attempting to talk about military strategy when your only experience of combat is via watching films.
"You can watch as many movies as you want, but you just don't get it until you've been through it," he said.
One potential answer, Chinn argued, is to seek out an executive who has previously been through a cyberattack and knows what it's like.
"Sometimes you talk to people and they say that person's tainted because they lost. Well actually, that person gets it," he said.
"They may be very helpful in making sure that a board is having the right conversation. It's about who you've got on your board and how you talk about these risks."
Margarete McGrath, chief digital officer at Dell EMC, agreed that hiring a board member who has experienced a cyberattack can help improve planning and risk management.
"It's great to hear the board talking about this, seeing and understanding that those who have the scars of being through a cyberthreat are the ones to actually to embrace and bring on because they've got those learnings," she said.
However, if it isn't possible to hire someone who has been through it, there are ways of attempting to protect your organisation, such as asking the right questions to find out where risk lies.
READ MORE ON CYBER SECURITY
- Two cybersecurity myths you need to forget right now, if you want to stop the hackers
- 7 tips for CXOs to combat cybersecurity risks in 2019 and beyond TechRepublic
- How learning from hackers can protect us from cyber attacks
- Data breaches can sucker-punch you. Prepare to fight back CNET
- Cyber security: Your boss doesn't care and that's not OK anymore