Posted: 29 May 2020 4 min. read

Our increasingly digital world means that organisations are facing a new generation of cyber-physical threats

Beyond cybersecurity

When we hear the terms “security” and “IT” together, we often think of cybersecurity first. After all, cybersecurity breaches make global headlines on an almost daily basis – in 2019 the World Economic Forum considered cyber-attacks among the top five risks to global stability. And while it is true that cybersecurity plays an important role in securing your organisation’s information assets and operational resilience, it is not the only risk management domain that the C-suite should focus its attention on. We often find that other security practices and resources are sidelined and underinvested, resulting in a fragmented and ineffective security capability to deal with disruptive events.

In the race to protect your organisation’s information and systems from a cyber-attack, it is important not to neglect other vulnerabilities, including those that pose a risk to more than just data. Your organisation may be implementing the latest technology to deter cybercrime, but there are other tangible threats that may affect your business and the safety of your people. These may include theft or sabotage of critical assets, terrorist attacks or natural disasters, from wildfires and flooding to pandemics. All of these events may disrupt business operations, put employees at harm and result in significant financial losses, not to mention the damage to your reputation. That is why corporate security is becoming an increasing priority in the business world.

Emergence of the internet of things

The continued emergence of the internet of things (IoT) is blurring the line that separates what exists in the digital realm and that of the physical world. For example, in 2014 hackers breached the network of a German steel mill to access the facility’s control system. The phishing attack caused significant physical problems for the steel mill, including damage to a dangerous blast furnace that could not be shut down normally. The number of IoT-connected devices is projected to reach 75.4 billion by 2025 – we now need to defend a larger and more complex corporate attack surface than ever before.

Securing critical assets

A mature corporate security strategy and risk mitigation measures will help protect your organisation from a wide range of internal and external threats that may affect your operational resilience and most critical assets. These assets include physical and intellectual property,  business processes and the greatest asset – the human workforce.  By securing your critical assets effectively you will be better placed to meet your strategic goals, and help your employees to operate in a safe and secure environment.

Security risks are universal and may impact every industry and sector, from healthcare to transportation, and financial services to utilities. The specific concerns of your organisation — and the severity of those risks — will depend on many factors, including location, type of facility and your business context.

The convergence of physical security and cybersecurity urgently requires investment in a new approach that can deliver success, an effective corporate security strategy and culture that acts as a business enabler:

  1. Assess: Identify your critical assets, assess your risk exposure and the maturity of existing controls to create a target state model and roadmap for enhancing your overall security capability.
  2. Implement: Develop a coherent security strategy and risk management framework, build and implement effective security policies, processes and controls, and enhance your overall security culture.
  3. Embed: Enable ongoing capability monitoring and improvement, helping you maintain a strong security culture and be better-prepared for changes in the threat landscape.​
  4. Analyse: Digitise your security management approach bringing deeper, more precise insight, consistency, automation and efficiency.

There appears to be a continuing failure by organisations to understand, who should own the security risk and a tendency to ‘follow the herd’, which often enforces an unoriginal one-size-fits-all approach to security risk management. Could this misalignment between security strategy and the organisation’s broader business objectives expose it to greater operational risk, affect the return on investment (ROI) and potentially cause loss of revenue?

At Deloitte, our consultants are drawn from a broad range of industry, services and governmental backgrounds, bringing unparalleled experience in helping our clients to build organisations that are secure, compliant and resilient in an age of ever-changing risk and connectivity. Combined with understanding corporate needs and business risk, we deliver global security change programmes, integrated with cyber security, crisis management, operational and business resilience. 

Sign up for the latest updates

Key contacts

Agnieszka Eile

Agnieszka Eile


Agnieszka is a Director in the Risk Advisory practice, where she focuses on Cyber, Digital & Data risk. She works predominantly with Financial Services clients, including banking and capital markets, and private wealth management. She has over 13 years of experience advising organisations on non-financial risk management. Specifically, she helps clients evaluate the maturity of their technology and cyber security risk and control functions; design, develop and implement risk and controls management frameworks; and enhance organisations’ overall risk management culture. Agnieszka has led and delivered several information security risk and controls assessments, internal audits, maturity reviews and regulatory reviews for organisations across a range of industries and sectors, helping national and global companies prepare for and respond to known and unforeseen risk events.

Edward Birrell

Edward Birrell

Senior Consultant

Ed is a Senior Consultant in the UK Risk Advisory Cyber Team, with experience in Corporate Security. He has worked across a range of sectors, supporting clients to understand their holistic security profile, evaluate their capabilities against vulnerabilities, design and implement new security risk management strategies. Prior to joining Deloitte in 2018, Ed advised on crisis responses in high threat environments and delivered strategic project management solutions, as well as serving in the British Army.