As industry 4.0 becomes a reality, businesses in the manufacturing, logistics and supply chain sectors are increasingly shifting to 5G enabled environments in response to pressure on price, scalability and efficiency.
As these shifts take hold, digital natives may have the advantage over larger companies when it comes to cybersecurity.
Due to their disparate and international nature, many of the traditional organisations in these sectors will be plagued by legacy systems leaving them vulnerable to cyberattacks. This is especially true if they have recently been involved in M&A activity. But digital-first companies are in a position to implement state-of-the-art security systems and procedures from the outset.
Post GDPR, security-related complaints and data breach announcements have significantly increased and, as regulators prepare to increase their efforts, they will be inclined to concentrate the implementation of their enforcement on the areas where they can make the most impact. This includes calling out some high-profile corporates. Following on from the ICO's notice that it intends to fine British Airways and Marriott International, it is expected that the next 12 months will result in further significant fines as regulators complete their investigations into some high-profile recent attacks.
Getting cybersecurity right requires a combination of “appropriate technical and organisational measures”. This is the standard adopted by the GDPR (and a similar standard is used in the NIS Directive). There is no established definition of what this means from a technological point of view, but in practice it means having all the technical security defences in place that would be expected of the company in question. If a data breach occurs and security improvements are made after the event, regulators will ask whether those improvements should have been made before the incident.
Cybersecurity is a fast-changing environment but having up to date hardware and software in place is crucial. This includes applying multi-factor authentication across the business to limit the risk of phishing attacks. If the IT team is gradually working through a long list of “patches”, they need to ask themselves how many of them pose a serious risk and whether they need to scale up resource to get through the list quicker.
From an organisational perspective, larger companies are often more set in their ways, and changing systems can be hampered by red tape and bureaucracy, which makes it harder to implement a culture of compliance. Creating paper, including glossy incident response plans, is not enough; companies need to have the key information, including who to call, at their fingertips and they need to practice their crisis drills around different scenarios, making sure that roles and responsibilities are understood as their people come and go.
Smaller, nimble players, who are more likely to be disruptive, are also likely to have a more tech-savvy workforce and be unburdened by complex flow diagrams and playbooks. They can quickly get the right people around the table to deal with issues as they arise.
In relation to both technical and organisational measures, both need to come under scrutiny during transformation projects. This includes digital transformation projects, reorganisations and M&A projects. It is obviously better to think about this in advance than treat it as a paper and compliance exercise that needs to follow the event to keep the board happy.
By Ashley Hurst, Partner and Head of Technology, Media and Communications at Osborne Clarke LLP