UK: Cyber Risk – Don't Be Alarmed, Be Prepared

Practical steps now to support a strategic approach

It's a familiar warning: the exponential growth of digital technologies is exposing us all to more and new kinds of risk and we all need to ensure that we protect our assets and reputation from attack.

With rapidly growing and constantly shifting threats, it can seem exhausting – almost overwhelming – simply trying to keep up with what you should be doing, especially if you haven't actually suffered any loss or attack to date. As a busy leader in a family business, you could even be forgiven for succumbing to 'cyber-risk fatigue' in the face of so many dire warnings. And who has the time and resources to focus on a notional threat anyway, when business as usual is already so demanding?

Don't kid yourself. Cyber-risk is a real and present danger for enterprises of all kinds and all sizes. It's no longer a case of if you will be attacked but when and how. And in the case of a family business, the risk in many cases is to the family owners themselves as well as to the business.

The World Economic Forum's Global Risk 2017 report recognised cyber risk as one of the top commercial risks, alongside the economy, the environment and geopolitics. Those are pretty big issues to be ranked alongside and there's good reason for cyber risk being there. Our businesses are becoming ever-more reliant on digital technologies. Those technologies are growing in complexity – think robotics, automation, agile development, and cognitive intelligence. The perimeters of our organisations and networks are dissolving as we move to cloud-based systems, mobile networks and collaborative platforms. While these may foster agility and innovation, they also expose us to more risks from external sources. And the sheer volume of data that we need to protect is growing exponentially: by the year 2020 the world will have around 50 times more data to defend than it does today*.

So, what can you do to protect your business? Growing awareness of cyber risk has led many organisations to appoint a Chief Information Security Officer (CISO) with responsibility for cyber security. However, a recent Deloitte CIO Survey found that 33% of CISOs 'feel that the business views security and risk management as a compliance chore, a cost to the business or an operational expense.'

A powerful truth

If this is an accurate reflection then business needs to wake up. Cyber security isn't about compliance. It's not even about technology.

Because business strategies increasingly depend on technology, the risks to that technology are, by definition, risks to the strategy. So, cyber security is in fact a business issue and a strategic imperative.

Recognising this simple but powerful truth is perhaps the single most effective action businesses – particularly private businesses – can take in addressing the changing risks they face because it underpins a fundamental change in mindset.

With a lower public profile, family business owners might imagine that they are somehow below the radar of the organised groups of hackers and fraudsters who are breaching cyber defences and wreaking havoc. Not so. In fact, many family businesses are large enough to make attractive targets and many still have comparatively weak cyber defences.

What is more, in certain markets, the issue of personal security for family owners is of critical importance: think kidnapping and risk of targeted theft. And in almost every case, given the reputation of the owning family is bound up with that of the business, protecting one means protecting the other, leaving one at risk means leaving the other exposed.

Becoming cyber mature

A new report from Deloitte Canada – Take the lead on cyber risk – offers business leaders a blueprint for moving to next-level of security – focusing on three core themes: security, vigilance and resilience. But the key for all leaders is that addressing and mitigating cyber risk has to be woven into business strategy, not bolted on later. For family businesses, cybersecurity needs to become part of your business and your family's DNA. Achieving that will take time and commitment.

However, alongside a wholesale review of your business's cyber readiness, there are some relatively straightforward steps that you and your family can take now that will put you in a better position to mitigate cyber risk:

• Talk – encourage awareness of cyber risk and greater vigilance by making it part of everyday business and family discussions. The more that family members and employees are familiar with the issues the more they will be able to act to mitigate your exposure.
• Prioritise – start by identifying your crown jewels – the key individuals who might be targeted, business-critical assets, processes that could be disrupted and data that could be stolen, used to support fraudulent or corrupt activity, or simply to damage your reputation.
• Be social-savvy – just as young people are encouraged to be mindful of what they post online, your next generation should understand the risks associated with social media, from advertising your absence to providing ammunition for attacks on your reputation – private as well as corporate. Many of our clients are putting social media policy onto the agenda of their family meetings at the moment.
• Don't go it alone – many family enterprises will struggle to comprehensively address cybersecurity in-house. Outsourcing some of your needs to a managed security service provider (MSSP) can be a practical way to extend your capabilities, particularly around analytics and threat intelligence. It may also be useful to join a cyber-threat intelligence sharing community.
• Allocate responsibility – it may be possible to appoint a CISO. If not then allocate responsibility for cybersecurity to a senior leader – both to provide a focal point for your efforts to become cyber mature, and to ensure that cyber risks are factored into strategic planning and decision making.

Cyber risk is a serious and growing challenge for all businesses – but it's not insurmountable. Equally, it's not going to go away. Cybersecurity is an existential threat to your business as well as to your family: dismissing it as an 'IT issue' or something that probably won't affect you is not a sustainable response.

Footnotes

* Cybersecurity Ventures 2016 Cybersecurity Market Report

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.