Cyber security is a very real threat to Private Businesses
According to PwC’s 2018 CEO Survey, it is the call that no CEO (and Chairman) wants to have to take or make. Being the victim of a cyber-security breach or attack is high on UK CEOs’ threat list for 2018.
Unfortunately, for one of my Private Equity owned clients, this wasn’t just a threat but in late 2017 became a reality. They had a malware virus (I say it like I know what it is!) in their IT system for 6 months. Recording keystrokes and sending important, confidential information out of the business – without leaving much of a trail.
So what exciting industry does this client operate in? What famous brand are we talking about? How much money did they lose? For obvious confidentiality reasons, I can’t be specific. However, without being disrespectful to my client, they aren’t big and they aren’t a brand that anyone outside of their industry would recognise. And the actual system breach itself cost them nothing.
The key impacts on the business though have been:
- A significant distraction for all management, including the CEO – not just the IT department
- Some difficult conversations with stakeholders informing them about what had happened with their data
- Highlighting how unprepared they were for such an incident; and
- The worry about the impact of this on their reputation and a potential fine from the Information Commissioner’s Office (ICO).
On this last point, it is worth raising the impact of GDPR and what a difference it would make if the attack on my client would have happened on or after 25 May 2018. Before this date, the fine for breaching data protection rules is £500,000. Afterwards it is 4% of global turnover, up to €20m – that’s a potentially massive increase!
The other impact that GDPR would have had on my client’s incident is the time that they would have had to report it to ICO - 72 hours from becoming aware of the data breach. That may sound a lot but in my client’s case, they didn’t have the full picture within that time so would not have been able to make complete disclosure to ICO.
So what have I personally learnt from all of this:
- There are no businesses that have not had a cyber-security attack – it’s just that some don’t know they’ve had it!
- Private businesses, big and small, whether well-known or not, are as much at risk as the famous listed brands that have had cyber issues publicised about in the media;
- It isn’t just a technology issue. The response needs to include detailed communications with key stakeholders – customers, suppliers, staff and technology partners;
- Many private businesses don’t have significant cyber security support in house, especially when it comes to responding to an attack; and
- The amount of management time spent dealing with the issue is significantly more than is being spent thinking about prevention.
I encourage all private business owners and management teams to take cyber security and their plans to respond to such an attack extremely seriously. Make sure you have a strategy for monitoring for a cyber security breach and know who to contact if the inevitable happens. This isn’t something that just happens to someone else.
Matt Palmer is an Assurance Director in the Private Business team at PwC based in the East Midlands.