When corporate cybersecurity lapses, the damage often extends beyond a single facility or organization. Data breaches, supply chain disruptions, and environmental waste can all occur, impacting the health and wellbeing of consumers and their communities. With this in mind, a growing number of executives are assessing their cybersecurity protocols through the lens of ESG, aiming to identify and minimize the impacts of cyber incidents on the broader population.
This is more than a transition toward more ethical business operation. For the 45% of executives planning to increase ESG investments in the near future, shoring up technical vulnerabilities will be essential for maximizing ROI and earning favor with ESG ratings agencies. Depending on the industry, cybersecurity can account for as much as 29% of a company's overall ESG score.
Businesses that hope to make meaningful strides in this area will need to evolve beyond the pervasive view that cybersecurity is an exclusively technical issue. Executives should aim to develop a workplace culture where cybersecurity and its societal implications receive comprehensive consideration at every level.
Protecting consumer data
Cases of identity theft rose 10% between 2022 and 2023, often in connection to breaches or ransomware attacks. In fact, research shows that individuals who have had their information compromised by a company's data breach are twice as likely to become victims of identity theft.
Most executives understand that exposure of customer data is bad for business, often costing millions of dollars in damage and causing customer relationships to suffer. But to the socially-conscious business leader, the impacts on customers are just as worrisome. Data protection is imperative for preserving the financial health and stability of the consumer population, and should therefore be treated as a primary ESG initiative, supported with all necessary resources and promoted across the organization.
Educating stakeholders on the relationship between breaches and ESG helps organizational leaders convey the value of data protection to employees, laying the foundation for a company-wide culture of cybersecurity. Training programs, conferences with SMEs, and team meetings can all be leveraged to develop the employee skills needed to prevent cyber incidents—and to manage them if they occur.
From an IT standpoint, it's crucial to ensure the company is working with reliable, updated software and partnering with vendors that employ robust security protocols. This need will only become more urgent as organizations become more reliant on advanced technologies (such as AI and IoT), which can be enticing targets for hackers and other malicious actors.
Preserving vital equipment
IoT devices and automated machinery can help companies achieve a range of ESG goals within their facilities, from sustainable operation of manufacturing sites to compliance with workplace safety standards. But when the technology that runs and manages vital equipment is compromised, the consequences are often significant.
An attack on an IoT device used to control a data center's cooling system, for example, could cause a substantial spike in energy consumption. The disablement of automated farming machinery could lead to disruptions in the supply chain. The impacts of corporate equipment failures on the general public gained global attention in 2021, when the Colonial Pipeline ransomware attack caused fuel shortages at multiple US airports. Three years later, technological vulnerabilities persist across businesses and industries.
As part of a cybersecurity-centric ESG initiative, businesses should take stock of their equipment and assess the ways its performance affects the broader population. Securing high-impact systems (such as through routine software updates, tightened access controls, and strong password policies) is essential. However, it is also important to develop contingency plans in the event that frontline defenses fail. This could mean investing in backup systems, training employees to operate equipment manually while systems are offline, or developing a plan for providing status updates to consumers.
Generating accurate ESG data
Inaccurate reporting can be detrimental to ESG, making it difficult for regulators, as well as consumers, to discern which companies are genuinely acting in society's best interest, and which are participating in deceptive practices, like greenwashing. By developing more stringent policies for data collection and hygiene, businesses can achieve greater operational transparency and build trust with external stakeholders.
Many ESG-conscious businesses employ data governance policies to protect their brands' reputations, prevent data theft or manipulation, and maintain regulatory compliance. This is easier to accomplish when the business utilizes software that promotes role and permission-based access to valuable ESG data. Technology, such as AI and ML, can also be deployed to monitor data for anomalies and potential manipulations.
In addition to bringing greater accuracy to mandated reporting, tightening data-based cybersecurity policies can help organizations ensure that they're on track to meet their ESG goals. When an organization's data is timely, authentic, and organized, KPI measurements and benchmarking are more reliable, enabling business leaders to make precise adjustments to their processes for more impactful results.
Bringing SMEs to the ESG conversation
As ESG becomes an increasingly common topic of boardroom discussion, it's important to invite a range of voices to participate. By including cybersecurity experts among their core ESG strategists, businesses can develop a more holistic view of their efforts and a more comprehensive understanding of the challenges they face.
ESG initiatives are often multi-faceted, involving measures to make operations safer, more sustainable, and more beneficial to the general public. It's crucial for business leaders to recognize that cybersecurity underpins all of these efforts, bringing stability and structure to a range of relevant processes. Only when the guidance of cybersecurity SMEs is valued and heeded can businesses progress toward their ESG goals with confidence—and with credibility.