Home / Fighting the Common Enemy: Addressing the Real-World Risks of Cyber Security

Fighting the Common Enemy: Addressing the Real-World Risks of Cyber Security

By Louise Chaplin. Published on 7 August 2017

The cyber-threat to UK business is “significant and growing”, according to a new report from the UK’s National Cyber Security Centre (NCSC) and National Crime Agency (NCA).  Indeed, it’s not just business at risk but almost every element of our lives, finances, homes and identities are under threat.  This will increase exponentially the more devices, homes and vehicles are interconnected in the drive to increasing automation and the Internet of Things.

Eton Bridge Partners’ Board Practice recently hosted a dinner for CEOs and Chairs with guest speaker Stuart Clarke, Chief Technology Officer – Cyber Security at Nuix.  Stuart shared his experiences from a career as a forensic digital investigator and now CTO working to help clients understand, prepare for and protect against an almost inevitable eventuality of a cyber breach.

Stuart Clarke, Chief Technology Officer – Cyber Security, Nuix

With the cost to business frequently not just a financial loss, but also the loss of reputation, clients and focus, Stuart’s evidence was clear that data and system protection starts with some surprisingly simple disciplines. Perhaps most simple of all, is the importance of educating, including and engaging your workforce, with human behaviour being the single biggest risk to a business’s cyber and data security.

Any Board needs to look at the risks to their organisation and digital security is increasingly on the priority list. Yet it cannot simply be seen as the preserve of the technical teams – something to throw money at by purchasing a piece of software or system that will make the business impenetrable from external hackers – not least because technical teams often operate in silos, understanding the immediate threat but not always aligned with the business strategy. In addition, there is currently no single system that can provide absolute protection and larger businesses frequently piece together a patchwork of incompatible products that add complexity, cost and create a perception of safety which is unfounded.

Cyber risk, as with any business change, can be addressed from three angles; process, people and technology and the threat must be treated holistically, both in preventive and reactive mode.

Right from the outset, a business needs to minimise and then organise the amount of data it needs to protect. Less data can be more efficiently protected. Better organised data can be assessed and grouped according to value and sensitivity so that a hierarchy for protection can be embedded and appropriate security can be provided.

Simple? Clearly not so, with this basic idea frequently shunned by businesses for whom it is seen as a time consuming and ‘painful’ exercise to take those difficult decisions.

The formulation of a robust cyber security strategy rests on high quality data and analysis begins with the following three key steps:

1 – Understand what data you have and remove data that is either residual, obsolete or trivial (ROT).

2 – Herd the remaining data into groups based on its value and level of sensitivity.

3 – Apply security to the groups of data appropriate to the data of the group.

Next; People. The most common reason for cyber breach and the hardest to control. How many times have you, or your colleagues taken data home on a memory stick or emailed it to your Gmail account? How many times have passwords been shared or sensitive data accidentally passed on? What about downloads or web surfing? It happens all the time and the more controls that are put in place limiting behaviour, the more the issue grows with staff finding ways around the controls.

Major cyber initiatives are a change management function. Education and understanding is key and this is not a one-off, tick the box exercise but a constant, business wide effort to ensure employees, suppliers and clients who have access to internal systems and data realise the impact of their actions. In turn, including a deep analysis of how your employees and stakeholders use data, access systems and the freedoms they need to do their job will be a significant foundation for success rather than blanket controls and blockages.

If the worst happens

In case of a breach, a cyber-ready business must have virtual teams with representatives from legal, PR/marketing, IT, insurers and importantly direction and backing of the leadership team. It is a Board room challenge and a swift, highly informed and well executed response is absolutely essential. The impact of getting this wrong was very evident in the Yahoo breach, where the share price plummeted in the midst of an acquisition, generating exceptional loss of value and business risk instantly.

Basic measures such as those described above will help to limit any potential cyber threat, and ensures any relevant investment is targeted and aligned with the overall business strategy. This enables the business to back up key data, mitigate the impact of ransomware like WannaCry and takes us towards General Data Protection Regulation (GDPR) compliance.

GDPR comes into effect 25 May 2018 and the penalty for non-compliance can be up to 4% of global revenue, which, if a cyber breach has already claimed reputational and business damages, would potentially be a business changing event.

Cyber security is a risk no business can ignore, with serious penalties for data non-compliance, and will feature again in the next few months with a wider panel discussion and a further Eton Bridge Partners dinner in September.

If you would like to register for further updates please email: boardpractice@etonbridgepartners.com


Louise Chaplin, Partner & Head of Board Practice

Edward Fanshawe, Associate Partner – Board Practice

Louise Franklin, Head of Research & Executive Search – Board Practice

Emily Perry, Researcher – Executive Search – Board Practice

Louise Chaplin


Specialising in executive search within board level positions, Louise’s unique combination of expertise and experience enables her to work closely with both clients and candidates at a senior level to ensure the best possible outcomes.