With the cost to business frequently not just a financial loss, but also the loss of reputation, clients and focus, Stuart’s evidence was clear that data and system protection starts with some surprisingly simple disciplines. Perhaps most simple of all, is the importance of educating, including and engaging your workforce, with human behaviour being the single biggest risk to a business’s cyber and data security.
Any Board needs to look at the risks to their organisation and digital security is increasingly on the priority list. Yet it cannot simply be seen as the preserve of the technical teams – something to throw money at by purchasing a piece of software or system that will make the business impenetrable from external hackers – not least because technical teams often operate in silos, understanding the immediate threat but not always aligned with the business strategy. In addition, there is currently no single system that can provide absolute protection and larger businesses frequently piece together a patchwork of incompatible products that add complexity, cost and create a perception of safety which is unfounded.
Cyber risk, as with any business change, can be addressed from three angles; process, people and technology and the threat must be treated holistically, both in preventive and reactive mode.
Right from the outset, a business needs to minimise and then organise the amount of data it needs to protect. Less data can be more efficiently protected. Better organised data can be assessed and grouped according to value and sensitivity so that a hierarchy for protection can be embedded and appropriate security can be provided.
Next; People. The most common reason for cyber breach and the hardest to control. How many times have you, or your colleagues taken data home on a memory stick or emailed it to your Gmail account? How many times have passwords been shared or sensitive data accidentally passed on? What about downloads or web surfing? It happens all the time and the more controls that are put in place limiting behaviour, the more the issue grows with staff finding ways around the controls.
Major cyber initiatives are a change management function. Education and understanding is key and this is not a one-off, tick the box exercise but a constant, business wide effort to ensure employees, suppliers and clients who have access to internal systems and data realise the impact of their actions. In turn, including a deep analysis of how your employees and stakeholders use data, access systems and the freedoms they need to do their job will be a significant foundation for success rather than blanket controls and blockages.
In case of a breach, a cyber-ready business must have virtual teams with representatives from legal, PR/marketing, IT, insurers and importantly direction and backing of the leadership team. It is a Board room challenge and a swift, highly informed and well executed response is absolutely essential. The impact of getting this wrong was very evident in the Yahoo breach, where the share price plummeted in the midst of an acquisition, generating exceptional loss of value and business risk instantly.
Basic measures such as those described above will help to limit any potential cyber threat, and ensures any relevant investment is targeted and aligned with the overall business strategy. This enables the business to back up key data, mitigate the impact of ransomware like WannaCry and takes us towards General Data Protection Regulation (GDPR) compliance.
GDPR comes into effect 25 May 2018 and the penalty for non-compliance can be up to 4% of global revenue, which, if a cyber breach has already claimed reputational and business damages, would potentially be a business changing event.
Cyber security is a risk no business can ignore, with serious penalties for data non-compliance, and will feature again in the next few months with a wider panel discussion and a further Eton Bridge Partners dinner in September.
Louise Chaplin, Partner & Head of Board Practice
Edward Fanshawe, Associate Partner – Board Practice
Louise Franklin, Head of Research & Executive Search – Board Practice
Emily Perry, Researcher – Executive Search – Board Practice
Georgina Swallow, Executive Assistant – Board Practice