Cyber-security: getting the basics right

PwC’s cyber team highlight the importance of cyber security and offer their top 5 tips for survival.

A medium-sized Northern Ireland company recently discovered that their online banking system had transferred over £110,000 to China. Just a few miles away, a service-solutions company had all the data in their computers encrypted and were told that if they paid a hefty ransom the data would be released.

A local manufacturing company was confronted by a product identical to their own, only much cheaper made in the Far East by a company that just happened to have hired an ex-employee.

Welcome to just a few of the problems PwC’s cyber team has experienced but even if the perpetrators have fled down the information superhighway, catching up – and even getting redress – is not impossible. Cybercrime may be a $3 trillion a year business but the PwC experience is that cyber-criminals can and are being identified; however being prepared is a more effective policy than being a victim.

PwC’s experience is that typically, 70 per cent of Northern Ireland’s companies with an online presence could expect to experience some form of technology and/or data-related incident in the next 12 months, with less than half of these incidents being identified immediately.

Whether that attack is successful or repulsed, is down to the business and its management, but PwC’s cyber experts offer their top five tips for survival:

1. Cybercrime is not an IT issue: Companies and their boards need to decide who is responsible. It’s not solely an IT issue – it’s a boardroom issue and if cybersecurity is not on the board’s agenda, then executives are ignoring that more than half of all IT security breaches are caused by staff.

2. The most vulnerable companies have poor culture and lacklustre processes: Collectively, these issues combine to cause most of the trouble. Access to a wide range of technology is essential for almost every business to operate in a world dependent on the web but organisations must consider the risks and be confident in their capability to manage them if they are to escape the inevitability of fraud or cyberattack.

3. Understand what you want to protect and then define the risk of protecting it: Who can initiate new customer accounts; are existing customers’ financial and trading details freely available; who can authorise online and banking transactions; who controls passwords, networks and IT access; where do designs, drawings and vital intellectual property reside and who can access them?

4. People are the weakest link: The Information Security Breaches Survey 2015, commissioned by the Department for Business, Innovation and Skills (BIS), undertaken by PwC and which included a number of Northern Irish companies, claims that 50 per cent of the worst security breaches identified were caused by inadvertent human error – further emphasising the importance of culture and processes.

5. It’s not about managing technology: it’s about managing people and processes: Companies need to get the culture right and provide training for staff on basic awareness when using company computers and mobile devices such as smartphones, iPads and USB keys. Everyone from the top down needs to understand that their assets – from intellectual property to cash in the bank – all have value and that’s why people want to buy or steal them.

In summary, cybercrime is a fact of modern life, so learn to deal with it aggressively and strategically. Vigilant companies with alert staff, good cultures and a clear understanding of what they want to protect, are much, much less likely to become victims than those who believe that ‘statistically, it will never happen to me.’ That means it is worth taking professional guidance as to the robustness of your cyber policies and it’s also worth reading the Government’s cyber security guidance which offers directors some practical steps to protect their business and can be accessed at:

www.gov.uk/government/publications/cyber-risk-management-a-board-level-responsibility

 Finally, statistically around three-quarters of online companies in Northern Ireland may be potential victims in the next 12 months – so, just how vulnerable is your business?

 Cara McCrory

PwC | Associate Partner

Direct: +44 (0) 28 9041 5577

Email: cara.l.mccrory@uk.pwc.com

 

Craig McKeown

PwC | Associate Partner

Direct: +44 (0) 28 9041 5068

Email: craig.l.mckeown@uk.pwc.com

 

Related Posts