NotPetya ransomware attack

Corporate social responsibility should include cyber security

This terminal at the main post office of Ukrainian postal service Ukrposhta was one of the casualties of the NotPetya ransomware attack that affected many institutions in the country on Tuesday. Such incidents highlight the vital need for companies t
This terminal at the main post office of Ukrainian postal service Ukrposhta was one of the casualties of the NotPetya ransomware attack that affected many institutions in the country on Tuesday. Such incidents highlight the vital need for companies to take cyber security seriously, says the writer. PHOTO: EUROPEAN PRESSPHOTO AGENCY

As the NotPetya ransomware attack spreads around the world, it's making clear how important it is for everyone - and particularly corporations - to take cyber security seriously.

The companies affected by this malware include power utilities, banks and technology firms. Their customers are now left without power and other crucial services, in part because the companies did not take action and make the investments necessary to better protect themselves from these cyber attacks.

Cyber security is becoming another facet of the growing movement demanding corporate social responsibility. This broad effort has already made progress towards getting workers paid a living wage, encouraging companies to operate zero-waste production plants, and practise cradle-to-cradle manufacturing.

The overall idea is that companies should make corporate decisions that reflect obligations not just to owners and shareholders, customers and employees, but to society at large and the natural environment.

As a scholar of cyber-security law and policy and chair of Indiana University's new integrated programme on cyber-security risk management, I say it's time to add cyberspace to that list.

ONLINE SECURITY AFFECTS EVERYONE

This terminal at the main post office of Ukrainian postal service Ukrposhta was one of the casualties of the NotPetya ransomware attack that affected many institutions in the country on Tuesday. Such incidents highlight the vital need for companies to take cyber security seriously, says the writer. PHOTO: EUROPEAN PRESSPHOTO AGENCY

The recent WannaCry ransomware attack affected more than 200,000 computers in 150 nations.

The results of the attack made clear that computers whose software is not kept up to date can hurt not only the computers' owners, but ultimately all Internet users. The companies hit by the NotPetya attack didn't heed that warning, and got caught by an attack using the same vulnerability as WannaCry, because they still had not updated their systems.

Some policymakers and managers are taking notice around the world. In the United States, the Department of Homeland Security, the chief federal agency dealing with cyber security, has highlighted businesses' "shared responsibility" to protect themselves against cyber attacks.

Consumers can't protect their utility services, banking systems or even their personal data on their own, and must depend on companies to handle that security.

Cyber security is an effort that not only protects - and even benefits - a company's bottom line, but also contributes to overall corporate and societal sustainability. In addition, by protecting privacy, free expression and the exchange of information, cyber security helps support people's human rights, both online and offline.

VACCINATING CYBERSPACE

If more companies get serious about cyber security, the Internet ecosystem will be safer for everyone.

The concept is much like vaccinating people against disease: If enough people are protected, the others benefit too, through what is called "herd immunity".

In terms of deterring hackers, the number of vulnerable targets will drop, making it harder for hackers to find them, and less worthwhile to even look. And more companies will have defences ready when cyber attackers come calling.

This isn't a perfect solution: With enough time and resources, any system is vulnerable. But this change in corporate perception is an important step in developing a global culture of cyber security.

Customers can get involved in this effort, demanding better cyber security from companies they do business with.

These can include online retailers, whether small specialised sellers or giants like Amazon.

But local brick-and-mortar stores with customer loyalty programmes that have built their brands on trust can also be susceptible to consumer pressure.

To date, it's been hard to know which companies have the best cyber-security practices. The product and service reviewers at Consumer Reports have made a start: In March they started evaluating devices, software and mobile apps for privacy and cyber security.

Advocacy groups like the Internet Society and many others should ask companies to discuss cyber-security efforts in their reports to shareholders. And they should urge government agencies to develop voluntary programmes like the US Environmental Protection Agency's Energy Star appliance-efficiency rating system.

Britain has a certification like this for cyber security, called Cyber Essentials. These efforts don't require executives or managers to make different decisions, but help inform them - and the public - about how the choices they make affect consumers.

Ultimately, companies will play a huge role in shaping the future of our shared experience online.

Cyber security and data privacy are key elements of this, and it's time consumers demand corporations treat them as the 21st-century social responsibilities they are.

•The writer is an associate professor of business law and ethics; director, Ostrom Workshop programme on cyber security and Internet governance; cyber security programme chair, IU-Bloomington, Indiana University, in the United States.

•This article first appeared in theconversation.com, a website of analysis from researchers.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on June 30, 2017, with the headline Corporate social responsibility should include cyber security. Subscribe