Private companies and cyber risk

A chat with Deloitte Private cyber leader Don MacPherson

By Mike Runia, Managing Partner, Deloitte Private
Cyber risk is fast becoming a top-of-mind issue for many private companies. And, if it isn’t, it should be. Exponential technologies, digital disruption, and changing consumer expectations are creating unprecedented opportunities for private companies to improve efficiency and deliver greater value to customers and the marketplace. However, these come with a variety of risks, the most notable being cybersecurity.

Cyber strategy




The good news is that the cyber challenge is itself an opportunity. Private companies that take the lead on cyber can not only protect themselves from rising cyber threats, they can differentiate themselves from the competition and position themselves to win in an increasingly digital world.

This post is the first in a four-part series about cybersecurity best practices for the private enterprise segment. Today, we’re speaking with Don MacPherson, Deloitte’s Risk Advisory leader for private business in Canada, and a cyber leader in the firm’s Vancouver office.

Mike: Good morning, Don. Thanks for speaking with us. So, why should private companies in Canada be concerned about cybersecurity?

Don: Good morning, Mike. Many private companies are asking us that very same question. When it comes to cybersecurity, every company is at risk and needs to be concerned. Over the past several years, we have seen the nature of cyberattacks transform dramatically: where once it focused on financial theft and direct monetary threats, now the preferred method is to threaten business disruption by means of ransomware. With monetary threats, small private companies were less likely to be targeted as they tended not to manage large volumes of digital cash. But with business disruption being the key threat, every company is a target.

Mike: Are private companies especially vulnerable?

Don: In many cases, yes. Most private companies have invested less in cybersecurity compared to large public organizations, so their defences are not as comprehensive and robust. This makes them easier targets.

The problem isn’t just a shortage of investment in cybersecurity technologies. It’s also a shortage of resources and talent. Many private companies lack the scale to justify having an in-house cybersecurity team with dedicated experts in specialized areas such as network security, identity management, security incident monitoring, and incident response. Instead, they have just one or two cybersecurity resources trying to cover all of those areas. Or worse, they’re relying on IT generalists to keep them safe from cyber threats. That’s an impossible task.

Mike: Why are specialized cybersecurity capabilities so important?

Don: Managing cyber risk is a difficult and complex challenge—and the devil is in the details. Hackers develop attacks by closely scrutinizing an organization’s security and then exploiting any little weakness. Also, new threats are constantly emerging and so organizations need to continuously monitor the evolving threat landscape in order to have any hope of protecting themselves.

Staying on top of all those details is a huge undertaking for any organization, even large global ones. Our own cybersecurity team is constantly monitoring multiple threat feeds from multiple sources in near real-time, and then consolidating all of that information into intelligence and insights we can use to protect ourselves. But even for us, it’s a complicated and time-consuming process that requires significant resources across a wide array of cyber and IT domains.

Mike: With cybersecurity, do private companies have any unique disadvantages relative to public companies?

Don: Public companies are required to have external financial audits, and those audits provide some level of assurance about the basic blocking and tackling of cybersecurity, such as: completeness and accuracy of data, clearly defined roles and responsibilities, and controls for software updates and change management. This required due diligence provides the basis for important internal conversations about cybersecurity, and helps public companies get started down the right path. Private companies are not subject to that same level of mandatory scrutiny, and need to take their own lead to ensure any IT controls are designed and operating effectively.

Mike: Do all private companies face the same cybersecurity challenges?

Don: While it’s important to understand the differences between public and private companies, it is also important to recognize the differences between industries.

For example, if you’re a private company in the consumer business space and you’re dealing with a lot of customer information, your threat profile is very different from that of a manufacturing company with a business-to-business model. In B2C, your biggest cyber risk might be having customer information stolen and used inappropriately, whereas in B2B your biggest worry might be business disruption. The types of threats our clients face and the data they need to protect varies greatly depending on the nature of their operations.

Cybersecurity is a hot topic for consumer businesses and financial services firms because of the severe and highly visible impact on their businesses if things go wrong. Other sectors have traditionally been less concerned about cybersecurity, although that is changing quickly as the focus of cyberattacks shifts toward business disruption.

Mike: Why should private companies in all industries make a proactive effort to get in front of the cybersecurity challenge, instead of just waiting until a problem occurs?

Don: Although many companies would rather not think about cyber risks, there are countless bad guys out there who are thinking about it and who are constantly looking for ways to exploit even the slightest weakness. Companies that don’t proactively protect themselves from attack will eventually find themselves on the wrong side of the problem and be forced to react–an outcome that is much more painful and expensive than thinking threats through in advance and taking steps to prepare.

Also, when it comes to preparing for cyber risks, no client is too small. We've seen everything from small ski resorts to restaurants to niche manufacturing companies all caught off-guard because they didn't deal with cyber risks pre-emptively. The financial cost of these incidents is dramatically higher than it would be to implement a program that would have thwarted the attack in the first place. We have also seen other non-financial impacts, such as brands and reputations being damaged and executives being terminated for being unprepared or not reacting well under the pressure of a breach situation.

Mike: Cybersecurity tends to be viewed as a purely defensive activity. Are there any positive aspects to it?

Don: Great question. While cybersecurity investments are generally seen as defensive, they can also be a strong selling point in an increasingly digital business environment. These days, many private companies are part of a larger value chain–and that chain is only as secure as its weakest link. So, companies want to make sure their partners’ cybersecurity is as strong as possible. Private companies that demonstrate a clear and sustained commitment to building and investing in robust cybersecurity capabilities are much more attractive to customers and value chain partners.

This is especially true for early-stage software companies, whose future growth and success hinges on being highly resistant to cyberattacks. We have been having a lot of conversations with technology companies that are taking the initiative to get in front of this issue, or are dealing with customers who are looking for proof that their security controls are adequate. Many of these companies are asking us for an external review and “Good Housekeeping seal of approval” certifying that Deloitte has reviewed their cybersecurity environment and attests to its capabilities. This would not only give them an edge in marketing but could also help save them money and headaches, because without such assurance, individual clients often insist on conducting their own cyber assessments–and these can be costly, time-consuming, and resource-intensive processes.

Mike: Many private companies are reluctant to take action on cybersecurity because it seems like an unsolvable problem−and a black hole for money and resources. What can they do to overcome the challenge?

Don: A risk-based cyber strategy is the key to making cybersecurity manageable. Instead of trying to create a state-of-the-art environment that is all seeing, all knowing, and completely bulletproof, private companies should identify their most critical information assets and then right-size their cyber environment to mitigate the threats that are most likely to affect their business. Although it’s certainly possible to spend an almost infinite amount of money on cybersecurity, shrewd companies can figure out how get the maximum value from their cybersecurity investments.

Cybersecurity is a large and complex challenge, and every company is vulnerable. But the challenge doesn’t have to be overwhelming. The key is to just get started. Focus first on the assets that most need protecting, and then build from there. While perfect cybersecurity is an impossible dream in a changing environment, any deliberate steps companies take to protect and prepare their data and their customers is 100 percent better than nothing.