In September 2023, Kettering-based KNP Logistics went into administration resulting in the loss of 730 jobs. Management laid the blame significantly on a cyber attack that crippled vital processes and systems, and exposed sensitive financial information. In October Last week, The Insolvency Service reported 1,967 company closures, a 17% increase in the number of company insolvencies in England and Wales compared to September 2022. The number of company failures reported by the services can vary substantially from month to month, but there is a clear upward and ongoing trend since the last Covid lockdown.
The blame for corporate failure is rarely due exclusively to poor cyber security. Cyber attacks and the increasing prevalence of ransomware attack in particular, may interrupt day-to-day business or damage your brand, but daily operations typically continue after a period of examination, explanation, and expense. Administration or insolvency is more usually down to poor, or out of date, product and service offerings, poor strategic decisions, failure to adapt to disruptive competitors or changing consumer expectations, or the combination of various factors.
As a change and technology consultancy, we naturally believe that incorporating appropriate and up-to-date technology applications into your business model helps address many of the threatening factors already alluded to. We see our clients developing better and more desirable products, improving revenue and sales through improved customer insights and making more informed decisions thanks to their technology choices. Not all companies deem technology as critical as we do, to making those improvements. But if you are managing a company with any meaningful digital capability, your IT security is critical and, as the KNP example indicates, ignoring it can prove fatal.
A Growing Need for Ever-Better IT Security
Cyber attacks are one of the most serious and frequent threats that UK companies face in today’s digital world. In the UK, the Department for Science, Innovation & Technology’s Cyber Security Breaches Survey reported that 32% of businesses suffered a cyber security breach or attack in 2022 and the proportion is even higher, at around 60%, for medium and large businesses surveyed. According to the PwC report Cyber Security Outlook 2023, “catastrophic cyber attack” was identified as the top risk scenario for 48% of UK senior executives. The report also revealed that most UK companies anticipated an increase in attacks against cloud management interfaces, industrial internet of things (IIoT), ransomware and compromised business email in 2023. That growing risk has manifested as well-documented cyber attacks against well-known corporate names like Royal Mail, Capita, The Guardian and JD Sports, as well as the unfortunate KNP Logistics. Growing numbers of organisations in the public sector, such as police forces, National Health Trusts and even the Electoral Commission, have likewise experienced high levels of cyber attacks. Yet around two-thirds of senior executives responding to the PwC survey say they have not fully mitigated the cyber risks associated with digital transformation.
Our own client work tells us that, although not the largest part of companies’ IT budgets, security spend is one of the fastest growing areas of that budget. And along with that, is the growing scarcity and cost of employing the best talent to provide that security. We hope the risk is obvious. The solution is for UK companies to align their cyber security strategy with their business strategy and objectives, and invest in cyber security solutions that can prevent, detect, and respond to cyber attacks.
How can I protect my business and reduce the risk of cyber threat?
Cyber attacks can compromise the data and operations of any business and, if you already have any form of digital capability, are a serious threat to your business. It’s essential to adopt proactive measures to protect your business and to mitigate the potential consequences of any successful attack. Here’s a non-exhaustive list of practices you should consider to reduce the risk and impact of cyber threat:
Implement a robust cyber security strategy. That needs to cover the identification, protection, detection, response, and recovery of your business’s assets and systems from cyber threats. It should be aligned with the company’s objectives, risks, and resources, and it also needs to be regularly reviewed and updated.
Invest in cyber security solutions. The right technology choices and accompanying practices can prevent, detect, and promptly respond to cyber attacks. Incorporate firewalls, antivirus software, encryption tools, backup systems, tailored to your company’s specific needs and vulnerabilities. Maintain and update frequently.
Educate and train employees. Be aware of, and address, your human capital security weaknesses, and those of other relevant stakeholders too. Educate and train all parties on cyber security best practices, such as the use of strong passwords, identifying and avoiding phishing emails, and reporting suspicious activities. The education and training should be ongoing and interactive. Remember, it may seem obvious to certain experienced employees, but for the unaware and untrained, this can prove a considerable threat to your businesses.
Establish a cyber incident response plan. That should define the roles and responsibilities of your company’s teams and partners in case of a cyber attack. The plan should include the procedures and protocols for reporting, containing, analysing, resolving, and learning from any cyber incident.
Collaborate with other businesses and organisations. Sharing your information and relevant security experience on cyber threats and solutions with other likeminded businesses in the same industry, or sharing similar supply chains, can help the business to learn from best practices, benchmark your own performance, and enhance your cyber resilience.
So what are the next steps? Don’t leave it too late!
You also don’t need to do it alone. And unless you are a business fortunate enough to have sufficient scale and talent to continuously attend to IT security issues, you probably shouldn’t. Panamoure has worked extensively with clients operating across a wide variety of sectors to assess, recommend and implement improved security protection. We’ve actually worked with dedicated IT security specialists to improve their own operational IT infrastructure too. In our experience, it can be highly beneficial to consider both elements at the same time. That’s not always necessary, desirable or affordable, but if a major ERP or CRM implementation is part of the work, then a thorough assessment and upgrade of accompanying security usually makes sense. The consequences of neglecting the security element of your wider business operations could be highly damaging and permanent.
Our advice? Look at the threat landscape holistically and create intelligent solutions to implement controls that provide a 360 approach to protecting your business. Rather than simply considering the possibility of a one-time threat, adopt an evolutionary approach, proactively and periodically reviewing your company’s IT security capability.
Some companies are of the opinion that protecting that data does not apply to them. For some, the emphasis remains on growing sales has been the priority, to re-engage with former and attract new customers. Others are more appreciative of the potential consequences of not comprehensively protecting their customers’ data and yet feel too overwhelmed to consider even where to start. Those that do start are frequently unsure of what good IT security looks like. In spite of all the writing put out by big consultancies, there is still not enough practical and affordable advice on the first steps.
Panamoure frequently encounters this reluctance to address data security but it would be a mistake to exclude this essential element from any IT review or strategic optimisation. While the greater risk for larger companies might be financial, reputational or both, for many mid-sized companies and particularly for smaller companies the risk may be more existential.
If your business is experiencing any of the security challenges described here, or you find your attempts to digitally transform are not progressing as well you hoped they might, then please do get in contact. Panamoure is sector-agnostic, as well as technology-agnostic and we would welcome the opportunity to share some of our insights from working with clients that have experienced just such challenges, and benefitted from our technology experience and practical advice.
