Why Cybersecurity Is Critical for ESG

Cyber-Awareness Can Help Companies Meet Esg Obligations

By Shaun McAlmont, CEO, NINJIO

One of the most important trends in the private sector—primarily among publicly traded companies, but increasingly among small and independent firms as well—is the analysis of business practices through the lens of environmental, social, and governance (ESG) issues. Beyond just the “bottom line,” companies are being asked to open the aperture of success metrics to include how their everyday activities either positively or negatively impact life beyond their four walls. Consumers are becoming increasingly concerned about whether companies align with their best interests, while other key stakeholders (from investors to the leaders of communities where firms operate) want to see a greater emphasis on the public good.

Cybersecurity is a critical component of any company’s ESG strategy, specifically in terms of product governance. From the protection of sensitive customer information to the adherence to laws and regulations around data privacy, a robust cybersecurity platform is indispensable to meeting basic ESG criteria. While many companies believe cybersecurity is all about IT teams, firewalls, and digital infrastructure, a well-trained workforce is actually a company’s most significant cybersecurity asset. This is because the vast majority of cyberattacks rely on social engineering: the deception and manipulation of human beings to infiltrate an organization.

At a time when ESG is a major area of focus and reporting for the world’s largest organizations and consumers are worried about how their personal data is being used, awareness with regard to various attack vectors has never been more vital. What most people outside the security industry—executives included—often don’t realize is that 85 percent of breaches involve a human element (according to Verizon’s 2021 Data Breach Investigations Report). The good news: most attacks are preventable if employees are armed with the right information. This is why an effective security awareness training (SAT) program is a must-have for any company, large or small, that wants to report fewer (or zero) attacks on their organization’s digital infrastructure.

A new era of consumer relationships

According to a 2022 Edelman report, 88 percent of institutional investors “subject ESG to the same scrutiny as operational and financial considerations.” For most companies, how cybersecurity is implemented and prioritized is a core part of their overall governance as it directly impacts data security and privacy, continuity of service and technology, and the operational integrity of their networks and systems.

Beyond its broad range of governance implications, cybersecurity is particularly crucial at a time when consumers are extremely worried about how their personal data is being collected, stored, and used. According to Pew Research Center, 81 percent of Americans say the potential risks of companies collecting information about them outweigh the benefits, while another 79 percent say they are concerned about how companies use the data they collect. This is a powerful reminder that companies should have comprehensive and transparent data privacy and security policies, as well as an SAT program capable of keeping the company safe.

ESG reporting on initiatives related to cybersecurity not only builds trust with investors and provides a level of transparency for the public record, but it also ensures compliance with regard to consumer data protection. All you have to do is look at the headlines to see that companies face an unprecedented and constantly evolving cyberthreat landscape—from the increasing frequency and destructiveness of cyberattacks to the threat posed by state-sponsored cyberwarfare. Cybersecurity awareness among employees ensures human defenses against all these cyberattacks, which drastically reduces companies’ vulnerability.

Taking responsibility for building a cyber-aware workforce 

Social engineering can take countless forms, which is one of the reasons it has proven to be such a versatile tactic for infiltrating many different organizations. Cybercriminals use manipulative techniques such as email subject lines demanding “urgent” action, coercive messages threatening legal and professional consequences, or impersonations of government agents (especially law enforcement and the IRS). When companies don’t have well-trained employees, they’re especially susceptible to these deceptions, which poses a direct risk to their employees, customers, and other stakeholders who engage with them.

Over the past two years, there has been a huge influx of cyberscams due to the pandemic—a clear reminder that cybercriminals are always updating their social engineering strategies based on opportunities to exploit the vulnerable. For example, after the U.S. government announced that it would distribute free COVID-19 tests, cybercriminals set up dummy websites with domain names similar to legitimate resources like covidtests.gov. There are countless schemes: fake websites offering stimulus checks in exchange for sensitive payment information, emails promising miracle cures, fraudulent messages about updated COVID policies or compensation purporting to be from HR departments, and so on. According to Proofpoint, pandemic-related phishing attacks surged by 33 percent last summer.

Evolving tactics among cybercriminals and surging rates of successful attacks mean companies are more responsible than ever for protecting sensitive information and ensuring that their systems aren’t compromised. A 2021 KPMG survey of CEOs found that they regard cybersecurity risk as their top threat to growth—a risk consumers and investors are taking more seriously by the day. Meanwhile, at a time when many companies are still relying on remote work—which presents an array of cybersecurity challenges, from the use of insecure home networks and IoT devices to the risks of using public WiFi—companies have to prioritize cybersecurity like never before.

Companies have never been under more pressure to pursue the public good along with profits, and maintaining the integrity of sensitive consumer data and essential digital services should be a key part of ESG efforts. This is why company leaders should make their SAT performance a critical indicator of how they’re protecting their employees, customers, and stakeholders.

About the Author

Sean McAlmont is the CEO of NINJIO and one of the nation’s leading education and training executives. He served as President of Career and Workforce Training at Stride, Inc., had a decade-long tenure at Lincoln Educational Services, where he was President and CEO, and also served as CEO of Neumont College of Computer Science, and President of Alta Colleges’ Online Learning Division. His workforce and ed tech experience is supported by early student development roles at Stanford and Brigham Young Universities. He is a former NCAA and international athlete, and serves on the BorgWarner and Lee Enterprises boards of directors. He earned his doctoral degree in higher education, with distinction, from the University of Pennsylvania, a master’s degree from the University of San Francisco, and his bachelor’s degree from BYU. Sean can be reached online at ([email protected], @ShaunMcAlmont on Twitter, and on his LinkedIn page), as well as NINJIO’s website: ninjio.com.