Five cyber security issues that private businesses should address now

As the owner of a private business, what’s your immediate reaction when the subject of cyber security comes up? Recent research indicates you may well feel a sense of unease: in PwC Global CEO Survey 2021, almost half – 47% – of respondents from privately-owned businesses rated cyberattacks as the top threat to their organisation’s growth. But are private businesses right to be worried? And if so, what should they do about it?

The reality is that the cyber threats facing private businesses are no different from any other type of organisation. Cyber criminals are essentially opportunistic and will look to attack wherever they see vulnerabilities. However, private businesses have some distinctive characteristics that create specific cyber security risks and which need to be addressed.

These are the 5 areas that we believe private businesses should address now to make themselves more cyber secure.

1. Educate family members on the importance of online security

Your teenagers will roll their eyes but it’s important to remember that in a family business, all of the family are the faces of the company. Apart from reputational damage and personal safety, unguarded use of social media can create many risks. If you’re the principal in the family business, you’re probably fairly careful with your online activities. But what about the rest of the family? For example, do you know what photos your children are posting on social media? What locations, properties or people are showing in the background? Are location services enabled that show exactly where the photo was taken? Educating family members about acceptable use of social media may help mitigate some of these risks.

2. Make cyber security an embedded part of the business culture 

Private business owners often feel (erroneously) that they’re not big enough to be attractive targets. This mindset can lead to an unwillingness to spend money on cyber security until a threat actually materialises. However cyber attackers don’t generally chase specific targets but focus on opportunities to gain entry.

Rather than being an afterthought, cyber security needs to be baked in at all levels of the business – owners, executives, employees – through regular awareness training and practical guidance. Security is everyone’s responsibility, and everyone has to be alert to the risks. This applies to members of the owner’s family too.

3. Implement a mobile device management tool

According to Statista1 over 6 billion people globally have a mobile phone. The problem is that many people use the same handset and apps for their personal and work activities. So if a device is compromised or lost it can impact the business’ data and systems and possibly offer attackers an access point. The solution is to implement a Mobile Device Management (MDM) tool on everyone’s handset that segregates the work and personal data, ensuring it’s properly managed, protected and backed up.

4. Control access to all company data: both virtual and physical

Data is the lifeblood of any business and the main target for cyber attacks. As a minimum, make sure that your company is applying tools like multi-factor authentication, strong passwords that are updated regularly and the latest security patches.

In smaller companies it can be common practice for people to share passwords and accounts, because it makes things easier. Don’t do this: if an incident occurs, it makes it much harder to tell who was involved or responsible.

It’s not just a company’s front-line data but also any backups that are exposed to the internet. So you should not only back up your important or sensitive data, but also ensure the backup is segregated from access via the internet so attackers can’t reach it.

Finally, don’t forget the physical aspects too: many cybercriminals still rely on getting someone into the office to breach systems, so it’s vital to have proper physical access controls and logs. It’s equally important to perform due diligence on anyone who has remote access to the systems, such as suppliers or contractors.

5. Have a plan – and know who you’re going to call

If a cyber incident does occur, it’s imperative to have a plan already in place for what to do. While most private businesses have IT support, they often lack the forensic information security skills they’ll need once a breach occurs.

You should determine in advance what steps you’ll take and which cyber security expert you’ll call to investigate and help. One option to consider is taking out cyber insurance: as well as potentially covering costs like systems remediation and business interruption, insurers will often have lists of approved experts.

1Number of smartphone users from 2016 to 2021,, accessed on 8/9/21.

A world of blurring risks

The overall message? Today, digital and physical security are becoming indivisible and everything we do online has consequences in the real world. From critical business systems to social events, virtually every aspect of work and life is exposed to the all-seeing gaze of the internet – and thereby to cybercriminals. And when they come knocking, private businesses need to be ready.

Contact us

John Boles

John Boles

Principal, Cybersecurity and Privacy, PwC United States