Cyber Risk & Response

Staying safe in the digital era

Managing your cyber risk and response

The pace of technology growth we have experienced in even the last decade has been staggering. This has created a whole host of new opportunities and improvements to our home and work lives - but has also raised some new threats which didn't exist or weren't as prevalent in the past. Did you think 20 years ago you were going to have your computer data held to ransom by an unknown attacker?

Understanding your cyber risk profile in this new digital era is something which can be very costly - financially, operationally, and reputationally - if left to its own devices. Taking control of this risk means understanding it and setting your risk appetite - which risks can you live with, and which can't you?

PwC Cybersecurity


Playback of this video is not currently available

"Cyber security continues to be a top worry for boards and business owners. Facing up to the risk and putting appropriate, proportionate defences in place is a must for businesses of all shapes and sizes."

Steven Billinghurst, Advisory DirectorPwC Isle of Man

Potential challenges

I'm not sure what is on the line or where the risks are

Knowledge is power. Understanding the cyber risks you may face, and which are the most likely for you, is the first step in taking control of the risks and mitigating them effectively. We would never use a cannon to kill a fly, and it's important to take the same approach to cyber threats. You need to know what you are facing before you can start responding, otherwise time and resources are likely to be wasted.

I'm not sure where I should be focusing my attention

Think before you act. You may know what you are facing, but now you need to determine what you need to do about it. How well do you need to protect non-critical data from a 1 in a million chance of loss? Taking a proportionate response involves understanding your risk tolerance, assessing all the options, and then striking the right balance between risk and investment.

I'm not sure what direction to take

Fail to plan, plan to fail. Before jumping into action, you need to understand what it is you are trying to achieve. Is your vision one of no breaches? Or is it "no breaches that affect customers"? Setting the vision and strategy at the start is one of the most fundamental steps to take, but often one that doesn't happen. By putting the right structure and framework in place, your cyber plan is far more likely to succeed.

I'm not sure what we'll do when an incident happens

Forewarned is forearmed. If the worst happens, would you prefer to calmly work through your pre-prepared incident plan, or try and work it all out off the cuff? Bear in mind your email might not be working, your website might be done, and your phone may be ringing from customers, insurers and lawyers all wanting to know what's happened and what you're doing about it; your staff may be banging on the door; and that's just what might happen before 9am. Taking part in wargaming and scenario rehearsal will help you to work out what works well, what doesn't, and how to deal with a real crisis when it inevitably happens.

How can we help?

Our Cyber Risk & Response team can support you by:

  • Developing your Cyber Risk Governance Plan
  • Defining your non-technical, risk-based Cyber Framework
  • Defining and implementing Cyber Policies, Standards and Processes
  • Developing your Crisis Management plan, your incident playbook, and wargaming
  • Understanding, defining and mapping your management of Third Party Cyber risk
  • Performing Cyber Risk assessments (for example, in accordance with the NIST Cybersecurity Framework)

Global State of Information Security® Survey 2018 (GSISS)

This year’s survey findings are based on responses of more than 9,500 senior business and technology executives from 122 countries.

The report finds that while massive cybersecurity breaches have become almost commonplace, many organisations worldwide still struggle to comprehend and manage emerging cyber risks in an increasingly complex digital society. The report puts forward some key steps business leaders can take to get prepared.

Key findings include:

  • Forty percent of survey respondents cite the disruption of operations as the biggest consequence of a cyberattack, followed by the compromise of sensitive data (39%), harm to product quality (32%), and harm to human life (22%).
  • Forty-four percent say they do not have an overall information security strategy.
  • Forty-eight percent do not have an employee security awareness training programme, and 54% don’t have an incident-response process.
  • When cyberattacks occur, most victimised companies say they cannot clearly identify the culprits. Only 39% of survey respondents say they are very confident in their attribution capabilities.

Contact us

Nick Halsall

Nick Halsall

Partner, Advisory Leader, PwC Isle of Man

Tel: +44 (0) 1624 689680