Privately owned businesses aren’t moving fast enough to outrun cyber threats

Written by Ryan Burke , Global EY Private Leaders, with contributions by Adrian Ornik , EY Global Growth Leader.

One thing is always certain when it pertains to cyber security, we can expect all kinds of studies, new technology announcements and predictions about the future. But in the midst of all of those news cycle headlines, one statement has particularly caught my attention…

According to the?EY Global Cybersecurity Leadership Insights Study , even though cyber threats are a top risk for any organization, especially privately owned businesses, it still takes 84% of those firms more than a month to detect a cybersecurity breach. Let me say that again – a month to recognize a breach. Considering that once a breach is identified, it still needs to be fixed, this means there are weeks of exposure to all kinds of vulnerabilities: sensitive data, proprietary business intelligence, financials and private communications. As threat actors from hacktivists to nation states now level the cross hairs and increasingly sophisticated technologies at companies of all sizes from corporation to privately owned businesses, it’s time for organizations to begin moving at the pace of the actual threat. And here’s how to start doing so.

Don’t be a weak link in the chain for your clients??

There’s a misperception that a cybersecurity breach is a problem for IT, and IT alone needs to fix it. But, this is a business threat that everyone from security to IT to operations, executive leadership and boards need to understand and get behind. Consumers, customers and vendors all have become weary of data leaks and there’s a growing intolerance of firms that fail to deliver appropriate and adequate security cover. A breach today won’t just bring long-term reputational fall out for your business, it’s going to mean lost business as current clients and future prospects turn away. It could hamstring operations too. Many managed services providers for midsized businesses that outsource won’t work with organizations that appear vulnerable – Why is that? Because your risk becomes not just their risk but it means risk for all of their customers. As you look for strategies to fast-track cyber safeguards, it’s going to be essential to meet the standards of clients, customers, providers and government agencies to continue growing in the age of rising cyber threats.?Ask yourself as a CEO – could I defend a statement to a client that taking at least 60 days to find and respond to an issue is ok?

“We’ve got this” isn’t cyber defense?

It’s possible that the feeling of many privately owned businesses is that “we’ve got this” – and a cyber incident can be managed and mitigated in-house. It’s a common leadership view for businesses owned by family interests or private equity that they can act in a more nimble way than large corporations and they generally do! But in truth, few businesses – particularly those in the “middle market” – have the depth of in-house skill required to monitor the complicated threat landscape or manage complex, modern cyber incidents. More executives are realizing this, with the EY study reporting that almost half of all private firms now outsource more than 30% of cybersecurity operations, and more than 50% realizing an acute need to upskill their own cybersecurity talent as a top priority. It is important to assess your own businesses’ internal resources and if they’re lacking up-to-the-minute cyber knowledge or the skills to proactively protect your business, it’s a good idea to begin searching for an external resource to shore up a more enhanced security approach.?I think it takes a team approach and that having multiple resources playing offense and defense is a smart move.

Early assessment to build cyber strategy?

Too many firms wait for cyber to get personal and for an attack levelled at one of their own assets before acting to enhance security. Often concerns over available cyber budget or the business bandwidth to undertake what is perceived as a years-long remediation can be the roadblocks to the progress that’s needed. But the right external team can provide a vulnerabilities assessment for a nominal price, providing short-term direction and an assessment in only a few weeks to get you started in developing a more strategic approach to cyber threats. In any short-term assessment, you should be looking for an offering that provides a fast, comprehensive and digestible report that:??

• Reviews how employees use all technologies?
• Assesses the current IT infrastructure and social media exposure including employee usage and associated risk?
• Provides an overview of your organization’s cyber exposure levels and recommendations on next steps, areas of focus and priorities?

It has been great to receive positive feedback from clients regarding the EY cybersecurity assessment for private companies. I recently had a conversation with a colleague who carried out a cybersecurity assessment for a CEO and Founder of a privately owned business. The client was confident that their strategy and processes to protect the company from cyber-attacks were sound and was skeptical that an assessment would reveal any gaps. After the assessment, they were surprised to see the number of gaps that existed and that there were some real vulnerabilities. If you would like to know more about this assessment and whether it is right for your business, feel free to reach out to me.?

Laying lasting cybersecurity foundations?

An assessment can begin your cybersecurity transformation process but change within your business will be important too, and an external resource can be invaluable to guide the effort. At EY, we align all key stakeholders from leadership to Chief Information Security Officer (CISO), Chief Technology Officer (CTO) and Chief Revenue Officer (CRO) that will be essential to collaboratively build the vision for cyber priorities. Initiating action from that may require structural change, organizational redesign or reorientation of operations, as well as essential training for employees from IT to everyone who access cloud-based and legacy platform systems and the timely recruitment and integration of specialized workers. It’s also important to have a communications strategy in place to keep employees, investors and the board appraised of the cyber mission, progress and ultimately security enhancements that will protect company value and reputation for the long term.?

It’s easy for businesses to see all of the above as an intensive and enormous lift and delay getting started, but the cyber risk clock is ticking fast and never going away. Now is the time for cybersecurity professionals and visionary leaders to outrun the pace, complexity and fast-moving evolution of the cyber risk landscape. Failing to do so will be the fastest way to reputational ruin. Your employees, customers and stakeholders expect that you are keeping them and their data safe. Are you??

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.