Turn on Javascript in your browser settings to better experience this site.

Don't show this message again

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Find out more

ESG in the cyberspace era

  • 15Dec 17
  • Cindy Rose Head of Responsible Investing, Aberdeen Standard Investments

A lot can happen in the cyber-universe.

In 1999, 15-year-old Jonathan James stole $1.7 million worth of software belonging to the National Aeronautics and Aerospace Administration (NASA) that supported the International Space Station.

Shortly after in 2000, another 15-year-old informally known as MafiaBoy hampered a number of major commercial websites such as eBay, CNN and Amazon by releasing a Distributed Denial of Service (DDoS) attack, which renders an online service unavailable by overwhelming it with traffic. The cyberattack cost about $1.2 billion in damage.

Nearly two decades later, cybersecurity remains a significant threat to companies. It’s also a costly risk. Cybercrime currently costs the global economy about $3 trillion, according to Microsoft. Investors are aware of this, and understanding a company’s cybersecurity protocols and policies is an increasingly important part of environmental, social and governance (ESG) considerations.


Digital evolution seems to be an unstoppable force these days. Business transactions, information storage and data gathering are likely to become more digital. While it has helped companies of all sizes improve the way they do business and connect with customers, it has also made companies more vulnerable to cyberattacks and cybercrime. About 54% of organizations surveyed by the Enterprise Strategy Group in December 2016 said their firms have experienced at least one type of security incident.

Despite the widespread need for cybersecurity, companies generally don’t appear to be fully prepared to handle this growing need. This is particularly true for smaller companies. About 73% of small businesses don’t even have a separate information security function, according to Netwrix’s 2017 IT Risks Report. About 88% of small businesses don’t use any software for information security governance or risk management. Only a quarter of small businesses actually feel “well prepared” for a cyberattack on their company.

In the UK, overall statistics are not much better. One in five UK organizations don’t prepare or drill for cyberattacks, making them a target for cybercriminals, according to a study from PricewaterhouseCoopers. Nor are the statistics looking bright for Asia. Hackers are 80% more likely to attack organizations in Asia, but Asian organizations take 1.7 times longer than the global median to discover a breach, according to a report by Oliver Wyman.


There are several reasons why global companies don’t have the cybersecurity features they need yet. One is a lack of budget for cybersecurity spend. Another is unavailable talent. About 69% of respondents in the Enterprise Strategy Group survey said a global cybersecurity skills shortage has impacted their organization. But it could be a while before companies get the budget or people need. So what should companies do now?

One of the major reasons why companies remain underprepared for cybersecurity is insufficient staff training, both for existing cybersecurity professionals and non-cybersecurity employees. When asked if their current companies provide the cybersecurity team with the right level of training to keep up with business and information technology (IT) risks, more than half (56%) of cybersecurity professionals said no, according to Enterprise Strategy Group. This was noted as a red flag because inadequate continuous training fails to give the cybersecurity team what it needs to protect against cybercriminals.

Getting smarter

However, a cybersecurity team, if one exists at a company, is just one part of an entire firm. All employees at a company should play a vital role in preventing cyberattacks or cybercrime, and much of that knowledge is something that a company can provide without having to wait for additional budget or cybersecurity talent. This is all part of good governance.

Many of the most common types of cyberattacks on can happen to any employee. Some forms of cyberattacks on computers include computer viruses, worms, Trojan horses, dishonest spyware and malicious rootkits. Viruses can corrupt, steal or delete data on a computer. Worms replicate fast and in great volume, and can be spread to global computers and systems in little time. A Trojan horse, once inside a system, can do anything from recording passwords to hijacking webcams.

Cyberattacks can also be made on network systems. Two common ones include eavesdropping, which allows an attacker who has gained access to data paths in a network to listen in or read the traffic; and data modification, which allows an attacker to alter data.

And these can all be spread by something as simple as clicking on a malicious link from an email.

Cybercriminals often use different methods to lure staff into accidentally giving away confidential personal or business information. By providing employees with adequate knowledge on how to spot untrustworthy emails and phone calls, for example, companies can prevent themselves from further cyberattacks.

Decoding the message

Although companies are generally aware of these concerns and are trying to improve cybersecurity, investors have faced challenges when engaging businesses on this topic. It’s a tricky subject because companies tend to know what investors want to hear.

It’s vital to ask specific questions about cybersecurity.

It’s vital to ask specific questions about cybersecurity. For that reason, we typically divide the conversation into two key areas around theft and data loss. Each company’s approach will be different, and therefore, not always straightforward when it comes to determining what is effective and what is not. If a company says it has allocated significant capital to fixing or upgrading systems, then that becomes public knowledge and can make news headlines. Conversely, if they say they don’t worry about it, then there might be an impression that the company’s systems are easy to break into even though it could be that the company believes it has relatively strong cybersecurity functions in place. Depending on a company’s response, security issues can be interpreted in a variety of ways.

Back to the future

As long as technology continues to exist, companies will need to arm themselves with cybersecurity. Cyberattacks can disrupt a company’s operations, damage information systems, and even put a company’s reputation at risk for failing to protect customer and employee data. This then touches on the ethical concerns of data privacy and data security.

All the ways inadequate cybersecurity can impact a company and ESG has had investors paying more attention. Some questions worth asking companies include how they identify and manage their data, how they detect and respond to cyber threats and what their governance and risk oversight structure looks like. It’s important that management is engaged, aware and willing to learn from past mistakes so they can direct their companies towards a future path that is smarter and more secure in the cyber age.

Important Information

Companies mentioned for illustrative purposes only and should not be taken as a recommendation to buy or sell any security. It should not be assumed that recommendations made in the future will be profitable or will equal the performance of the securities in this list.

Foreign securities are more volatile, harder to price and less liquid than U.S. securities. They are subject to different accounting and regulatory standards, and political and economic risks. These risks may be enhanced in emerging markets countries.

ID: US-121217-53950-1