Cyber Risk


Cyber risk in 2017

Private company issues and opportunities


The high-profile data breaches over the past couple of years across public, private, and government sectors show that any company or organization is at risk of a cyberattack. Private companies understand this: The management of cybersecurity and information risk continues to be the most pressing assignment for technology leaders at private companies, according to our latest technology survey of the middle market.1 Information security was cited in the survey as the leading challenge for IT departments, ahead of keeping up with new technology.2 Confronting cyber risk is now a priority for private companies, but the ever-changing cyber threat landscape means total prevention is close to impossible.


Hackers differ widely in their motivations and in the tools, techniques and procedures they use to carry out their attacks, making it “very difficult to secure an entire company’s eco system of data and assets,” says Kiran Mantha, a Deloitte Risk and Financial Advisory principal of Deloitte & Touche LLP, who leads cyber risk services for the retail and distribution sector. While some hackers are after personally identifiable information, such as social security numbers or credit card information, others seek to steal intellectual property. Still others engage in “hacktivism” to discredit a company or propagate a particular ideology. Trying to anticipate hackers’ varied motives and prevent theft of digital property is a Herculean effort, says Mantha, which is likely to fail on occasion.

Deploying advanced cyber threat technology to manage risk may not be the most advantageous way to make new investments. Phishing—simply defined as a way to steal private information using a digital tool like e-mail or text messages—still remains the most used trick to break into a company’s data holdings.3 Without first “mitigating risk around basic business functions,” says Mantha, and educating people about the do’s and don’ts when it comes to cyber, costly programs can still leave organizations open to vulnerabilities, and provide cyber attackers low-hanging fruit to plunder.

Even with vigilant employees, staying ahead of the curve on cyber threats necessitates a process for gathering intelligence. Mantha says, “Companies need to ask: How do we gain visibility across our environment and know what to look out for?” Three-fourths of Deloitte’s mid-market technology survey respondents said their company spends at least one percent of its dedicated technology budget on information security, with only 22 percent spending more than 5 percent.4 How much of those funds are dedicated to intelligence-gathering, in addition to monitoring and response, is less clear.


Ultimately, a strong cyber risk management program focuses on mitigating risk, not preventing it. Rather than trying to fortify a company’s entire digital ecosystem, a focus on protecting companies’ “crown jewels” of data and assets from cyber threats is far more likely to mitigate potential disaster. But while most companies generally have a good idea of what their most prized information is, they may not know where it lives. “They may not know where it is housed, or which people can potentially access or copy the data, even for completely benign reasons,” says Mantha.

Investing in educating individuals who take part in a company’s daily operations is important to protecting a company’s most prized assets. This education must extend to third-party vendors, who often have the same or similar access to valuable data as full-time employees. Integration among private companies and their vendors will only continue to increase, as will the risks associated with transition to use third-parties, when data and other assets can be at its most vulnerable for being stolen.5

Keeping up with regulations about data protection and consumer privacy can be complicated, but it’s an important piece of the cyber risk management program because such rules are constantly changing, and may differ by country or region. As business models change as a result of evolving data use and application, companies can find themselves being regulated in new ways. As an example, when a company in possession of consumer data decides to expand their operations beyond the United States, the company may then be subject to new consumer privacy laws, “which means their cybersecurity framework will very likely need to change,” says Mantha.

According to Deloitte’s annual mid-market technology survey, this exact situation is happening more and more: The proportion of revenue these companies generate outside the United States is expected to grow in the coming year, particularly among companies generating 26 percent to 40 percent of their revenues in international markets. An overwhelming majority–84 percent–said global trade is important to their company’s supply chain.6

Questions to consider

  • Do you know where your company’s most important data information and assets live within your digital operation?
  • Are your company’s third-party vendors part of your cyber risk employee education program?
  • Have you considered what the impact of a data breach could be for your company?
  • Do you have visibility into unauthorized activity that may be occurring in your digital environment?
  • Is your compliance operation up-to-date with data privacy regulations?

Visit the Private company issues and opportunities homepage to view a list of topics.


1 “Technology in the Mid-Market: Taking Ownership,” Deloitte, 2016,
2 Ibid.

3 Geoffrey A. Fowler, “Your biggest online security risk is you,” Wall Street Journal, February 27, 2017,

4 “Technology in the Mid-Market: Taking Ownership,” Deloitte, 2016,

5 Deloitte, “Extended Enterprise Risk Management Survey: Third Party Governance and Risk Management: Turning Risk into Opportunity,” 2016,

6 “Technology in the Mid-Market: Taking Ownership,” Deloitte. 2016,

Did you find this useful?