Data-addicted business playing risky game with cybersecurity
The sugar hit of accumulating data may be proving so addictive to business that they are putting aside the creeping liability that comes with high volumes of storage.
New data from Pitcher Partners’ Business Radar report highlights the conflict facing mid-market businesses as they examine their risk profile against data breaches and cyber-attacks.
On one hand, more than half of respondents recognise that how they are capturing and storing customer data is increasingly a liability for their business.
But 68% also conceded that the benefits and insights drawn from collating vast amounts of data sources outweigh the security risks.
Adam Irwin, Partner at Pitcher Partners Sydney, said the conflicting messages from the survey responses indicated a tone of overconfidence among mid-market businesses that may stem from a belief that a cyber-attack was unlikely to affect their business.
“Data is a highly valuable commodity in today’s business landscape, where everyone is striving to deliver an ever more personalised service to clients and customers,” Adam said.
“But data is also prized by threat actors and cyber criminals, and if the worst was to occur, many organisations would not be able to explain to regulators why they needed to hold that data or demonstrate that it was securely stored.
“If there is a concern that people will break into your house, you don’t keep highly valuable items that don’t need to be there. There is no doubt that holding large volumes of data, particularly that they don’t need, is risky.”
The survey showed little consensus about who within a business was actually accountable for cybersecurity.
60% of respondents believed their organisation had a strong cybersecurity culture, with security ingrained in every aspect of the workplace. But only 31% said executive leadership bore some responsibility, while directors were nominated by just 16%.
The IT team was named by 54% of respondents as having some level of responsibility, but a high number of businesses nominated outsourcing IT services as a way of removing risk – 45% across all respondents, which rose to 59% among more confident businesses.
“Ultimately, if a breach happens it is your business’s reputation on the line and your bottom line will be impacted by any disruption to your business operations, remediation cost or defence of legal challenges,” Adam said.
The Radar data shows 48% of businesses were very concerned about cyber-attacks, and more than 80% have allocated budget and spent time devising a cybersecurity strategy. But almost half believe that their business isn’t an attractive target for a cyber-attack, and 16% per cent say they are not at all concerned.
“According to a report by the Office of the Australian Information Commissioner, Notifiable Data Breaches are on the rise, up 26% in the six months to December 2022, and 88% of them involved contact and identity information,” Adam said.
“Every business holds that sort of information and smaller organisations are often less well protected and therefore easier targets, as well as a way to access the bigger businesses they supply.
“Yet there is still a prevailing feeling among many businesses that a cyber-attack or data breach will not happen to them, that attacks are focused on the big end of town.
“Mid-market businesses may feel bullish that larger organisations are more attractive for cyber criminals after recent high profile cyber incidents, but the reality is much different.
“Even if they are not direct targets, they may be exposed through phishing strategies that net third parties who handle their data.”
Adam said his experience with clients indicated that businesses are not always aware about how their data was stored or where it was being shared, as well as the security of supply chain partners and third parties.
“Businesses are often fixated on protecting the data within their own four walls, and don’t give sufficient consideration to data that is collected by other parties they work with,” Adam said.
“Supply chains may be the weak link that leaves an organisation exposed.”
You can access our Business Radar report here.