Private businesses: don’t be low hanging fruit for cyber criminals

I lead PwC’s cyber security team in Birmingham, working with clients to build, manage and assure cyber security capabilities. I have previously spent time looking at cyber security threats from a very different direction as a law enforcement officer in the UK’s National Cyber Crime Unit. I am increasingly speaking to privately-owned (i.e. non-listed businesses) about cyber security and a couple of consistent messages are emerging.

“No one would want to attack us, we’re not high profile enough.”

Cyber criminals don’t sit at home thinking to themselves “I won’t go after that business; they aren’t listed.” Criminals don’t care about the ownership structures of a target, what they care about is:

• Do they have money I can steal?
• Do they have personal, financial, intellectual property or otherwise sensitive data I can steal or leak?
• Do they have IT or operational systems I could disrupt to extort money or just make a point?

Based on this, all private businesses are at risk from a cyber attack. Although some attackers are highly selective about what kind of attacks they mount (e.g. targeting sensitive military tech), I have observed first hand in my previous life in law enforcement that a much greater number will simply look for low hanging fruit, scanning the internet to look for weaknesses they can exploit to get into an organisation (like an opportunistic burglar spotting an open window). Moreover, the widespread ransomware attacks of 2017 (Wannacry and NotPetya) were indiscriminate attacks, with organisations across sectors being hit indirectly.

“Cyber security is something that IT sort for us, talk to them.”

Whilst IT is the means by which a cyber attack manifests itself, the impact of a successful attack will be felt across the whole organisation, ultimately with the the board being accountable:

• Direct financial loss to the company (money taken from accounts or payments misdirected to criminals)
• The cost of investigating and fixing a breach (direct costs on external forensic/crisis management/legal/PR support and also significant time abstraction for senior leaders)
• Operational disruption (an inability to do what makes a company money - e.g. make stuff, sell stuff, ship stuff, invoice customers, communicate with clients)
• Legal and regulatory action (e.g. an investigation by the Information Commissioner’s Office, potential regulatory fines and class action lawsuits from victims)
• Damage to reputation (loss of confidence by customers, clients, investors)
• Loss of competitive advantage (a competitor can take IP to market, or exploit a business opportunity - e.g. an acquisition)

Moreover, cyber security is a holistic, specialist discipline which relies on people and business processes, as well as technology, to get right. Therefore, whilst an IT team are undoubtedly important in this area, they are unlikely to have either the full skillset, or the ability (in terms of mandate or resource) to address the wider people and process issues.

Even more importantly, the buck stops with a board (this is where the Information Commissioner will be asking questions in the event of a breach!), so having assurance of what an IT team is doing and reporting to the board is critical.

A good starting point for boards and owners of private businesses is to ask the following three questions of their IT teams:

• How do we ensure our security is aligned to the external threats we face and our own risk appetite?
• How many third parties hold or access our systems or sensitive data? How do we ensure they meet our security standards?
• What is our response plan for a cyber breach? Have we tested this?

PwC is rated as a leader in both cyber security consulting and incident response and I am working with a range of private businesses to address the challenge of cyber security. If you want to know more, please look at how we are helping private businesses with cyber security and get in touch.