The volume of data held by businesses, coupled with the reliance of technology to operate effectively, means that today, Government statistics show 97% of organisations are currently addressing a cyber-related breach. And private businesses are particularly susceptible to cyber-attacks, their limited resources making them an easier target for cyber criminals.

But securing your data isn’t just about technology – it is as much about the processes, culture and behaviours within an organisation. It is about businesses creating a secure environment where they effectively leverage technology while remaining resilient in the event of an attack. This includes minimising any loss of earnings, reputation damage or fines.

What is cyber and what should businesses consider? 

Many people wrongly believe the risk of a cyber attack/breach is only applicable to either large corporations or businesses working in more sensitive industries such as healthcare. In reality, the risk is far wider reaching. Many of the businesses we speak to who have been involved in a cyber-related incident in the last 12 months have simply been a victim of chance, or even caught up as collateral damage in a cyber attack directed at another business.

Therefore, it is so important for all businesses to take steps to make sure they fully understand and manage the risks around cyber, both internally and externally.

1. External security controls – how well do you understand your internet-facing systems, including those that are run on your behalf by third parties? It is incredibly important to fully understand how all websites and IP addresses within your estate are being controlled.
2. Internal controls – what controls exist and how knowledgeable are your people (especially  those in senior position given they generally have access to the most sensitive data) in dealing with the risks posed for example through phishing attacks? We’ve all clicked on links within emails at some point, often not stopping to consider the risk.

Only by fully understanding the external and internal threats can a business really begin to properly put suitably robust controls in place to manage their risk around cyber. This is particularly challenging for private businesses where they will naturally have fewer dedicated resources available to carry out these activities.

Who could be targeted?

The truth is any company in Scotland could be targeted. However, there are particular sectors that may be more likely to be targeted these could be:

Energy and Utilities – companies in this sector will hold sensitive information which is critical for future work and projects.

Retail – Scotland is home to some huge retail companies. Retail companies tend to hold huge volumes of consumer data which could make them a target.

Manufacturing – There are many different types of manufacturing companies based across Scotland; from textiles to pharmaceuticals;and there is one common thing that many of these companies will want to protect – intellectual property. Research and development will be important to these organisations and this normally entails large amounts of data.

How can private businesses in Scotland minimise risk?

It is not possible for any business to fully mitigate the risk around cyber. However, that does not prevent them putting in place sensible processes and controls which bring the level of residual risk down to an acceptable level. This will vary across different businesses based on risk appetite, but should consider:

• People – are people suitably aware of the risks posed from cyber?
• Process – are there robust processes in place to manage the risk, or equally respond to an incident?
• Technology – does the technology being used have suitable security controls to prevent unauthorised access to sensitive information?

These are challenging areas to manage properly, especially for smaller businesses. That is why PwC has developed a number of solutions specifically aimed at supporting our private business clients in Scotland. These span from risk assessment and developing a suitable control environment, to how a business would effectively respond to a cyber incident. We get that private businesses don’t have an endless supply of money and therefore maximising the impact from more limited investment is critical in staying ahead of the curve on cyber.

So whether its a short, sharp maturity assessment – great for CIOs who want to understand where to focus their resource for the next 12 months – or a service level agreement where we are on call to support businesses through an incident at very short notice, we have knowledge and expertise to make sure you are best utilising your investment in cyber.

Regardless of the size or nature of your business, we have a team of experts based in Scotland who are passionate about helping our private business clients in the Scottish market.

For information on how PwC can help protect your business from cybercrime contact our private business team.

Kenny Munro 

Director, Technology Risk at PwC