‘Use cyber security to stand out as a business’

‘If your business is down for a week due to a cyber attack or if the products or services you provide are not secure, it could cost you many clients and millions of euros. Trust is very important in business. So getting your cyber security right in your business and in your products and services is the same as proactively working on your brand reputation,’ argues Angeli Hoekstra, partner cyber security & privacy at PwC.

Cyber security threats to businesses are increasingly complex and widespread. More and more advanced techniques are being used. Hoekstra: ‘Ransomware attacks by criminals are becoming increasingly sophisticated and cunning. But you are also seeing more nation state attacks alongside ransomware, where countries are not only after intellectual property, for example, but also seeking to take down critical infrastructure. Another threat is related to new technologies, such as generative AI, with phishing attacks being taken to an even more advanced level, using deepfake techniques and automatic response, for example.’

According to Jeroen van Kessel, partner and technology expert at PwC, cyber criminals are taking an increasingly targeted approach. ‘For example, they look on LinkedIn to see if there have been job changes in a department. Then you have a better chance of someone falling for it than when blindly sending a phishing e-mail to employees. It is a very profitable business and there are highly professional ecosystems behind it. Criminals acting very client-centric, with an entire client department that helps the client (read: the hostage company) pay the ransomware amount, for example.’

More awareness among CEOs about effective cyber security

According to Van Kessel, awareness about effective cyber security has increased considerably in the boardroom in recent years. ‘That's evident from PwC's CEO Survey. This shows that it is seen as an important issue by directors. When asked “What keeps you awake at night?”, this topic comes up much more prominently than it did three or five years ago. So you can see that in recent years, managerial involvement is much greater. It has also become a real strategic issue for directors. More strategic these days than tactical. Not only as protection for your business, but also to project trust towards the market.’

‘Companies have different challenges regarding cyber security and therefore come to us with a variety of questions,’ says Hoekstra. ‘Such as: how should the cyber function be positioned in the business, how can we secure information, prevent a ransomware attack, manage a cyber crisis or ensure that clients and suppliers have secure access to systems? But also, how do we measure the impact of cyber risks and what control measures are needed to reduce this impact?’

‘They also have questions about regulation. You then draw up an overall framework for that purpose. However, complying with regulations, although a necessity, should not be the final goal. The main goal is to ensure that your clients can trust your products or services and that you can deliver them reliably. If you have sufficient security controls for this and manage cyber risks and impacts, you already largely meet the cyber security requirements demanded by specific regulations such as NIS2, CRA and DORA. The only thing you then generally need to add to this is to make sure you have an effective and rapid reporting function that can report to the authorities if you face a cyber attack.’

Businesses need to look at cyber security differently

According to the two PwC experts, businesses need to look at cyber security differently. It is currently still seen as a cost item, but they think it should actually be seen more as an investment that can attract clients in the long run. Hoekstra: ‘Of course you have to consider the risks too, but businesses should see it more as an opportunity. As a business owner, if you have your cyber security in order, clients will come to you and not to your competitor. You create trust. If you are a supplier to another business and you don't control your cyber risks, it impacts your clients and your end clients too.’

‘You also have to look not only at your business processes, but also at the products you produce or services you provide. In doing so, you also need to get the cyber security in those products and services right. I won't buy a camera, for example, if its cyber security aspects are not properly arranged. I would fear that others would take advantage of that. This of course applies to all devices that have a technology component controlling them, such as medical devices, most components in planes and trains, traffic lights, cars and so on.’

Cooperation with technology partners

In the field of cyber security, PwC works closely with various technology partners. ‘We have alliances with several technology businesses and know all parties. We select a technology that suits a particular client best. This is how we confirm our independent position,’ Van Kessel states.

‘But we also create security solutions, such as applications to provide insight into risks and improve security. We subsequently implement them at businesses. We have the competences in-house to improve security in all types of environments,’ Hoekstra adds.

This article has also appeared on deondernemer.nl.