Thought Leadership: Cyber Security

Jersey

Services
Services
Advisory
Audit & Assurance
Business Services & Outsourcing
Tax
Featured
Case Study - Digital Strategy for Ports of Jersey
Industries
Industries
Financial Services
Jersey is one of the top global offshore finance centres, providing services to a worldwide client base.
Investment Funds
BDO has been active in the Jersey Investment Funds sector since 2004, providing audit services to Jersey–domiciled collective investment schemes.
Public Sector
Our private equity practice supports private equity sponsors, funds and their portfolio companies with a full spectrum of professional services.
Retail
Our services for retail businesses encompass a range of solutions designed to enhance efficiency, profitability, and market adaptability
Private Equity
Our private equity practice supports private equity sponsors, funds and their portfolio companies.
Private Wealth
BDO Jersey has a strong and continually evolving local enterprise client portfolio that spans a number of industry sectors.
Real Estate
We deliver a comprehensive, multidisciplinary approach, seamlessly blending financial expertise with broader strategic insights.
Utilities
Our Advisory team empower utility companies to optimise operations, enhance customer satisfaction, and navigate the evolving landscape of the industry with confidence.
Insights
About
About
About BDO Jersey
We are locally owned and therefore have a real freedom and ability to develop bespoke and value-adding services for our individual clients
ESG Strategy
BDO Group in Jersey have set a commitment to grow the business in alignment with the United Nations Sustainable Development Goals
Global Network
As the world's fifth largest accounting network, BDO International combines global reach with strong personal relationships
Our Commitment to Quality
BDO’s brand promise is to be the leader for Exceptional Client Service
Our Values
Our Core Values represent the principles we are committed to upholding now and in the future

BDO Jersey
Insights
Thought Leadership: Cyber Security

Thought Leadership: Cyber Security

Introduction

We are in an era where cloud-based networks enabling remote access and the frictionless exchange of data, information and digital services, are fundamental to the digital economy, but they bring with them increasing threats.

Unfortunately, no matter how good your security, data which can be remotely accessed, whatever arrangements are in place, is vulnerable, whilst threats to networks are diversifying and proliferating at speed and scale.

Good cyber hygiene and effective cyber security practices can neutralise the impact of most attacks. The reality is that hygiene is hard, and so a level of risk acceptance is required to operate in the digital world; and determining whether you are a target and identifying/protecting your critical assets/information is a fundamental part of managing that risk. Honesty with customers, clients and users is essential to build trust, as is both assurance and accountability.

An open and connected world

Success in the digital and services economy requires speed, innovation, customer experience and delivery – both for clients and employees. Both hybrid working (a must for many employees) and the global marketplace require data, services, and infrastructure to be constantly accessible, information easily shareable, and services easily transferrable. Organisations will be cloud based and internet facing – this is unlikely to change – and this has driven innovation, collaboration and transformation at an unprecedented rate. Moreover, as with many services, organisations often outsource the security of their data and systems to third party providers (payroll, HR, accounting, project management tools) - especially for Software-as-a-Service products. This has bought opportunity and efficiencies but brings risk.

The threat environment

The cyber threat environment continues to diversify and proliferate. The Russian, Chinese, Israeli, and western (UK, US, France etc…) states remain the most capable threat actors in the cyber environment. Alongside Russia and China, both of whom have a proven track record of using state capabilities for commercial espionage and intellectual property theft in addition to strategic operations, sit North Korea, Iran and similar states. Beneath these are state backed or directed actors, such as those organised crime groups in Russia which are supported or protected by the state (such as EvilCorp, REvil, Cozy/Fancy Bear etc) which have less finesse, but significant capability against networks and remotely hosted data/operations.

Of concern is the growing “cyber mercenary” market which is proliferating high end capability to actors. Sat in this space are the independent vulnerability research and exploit chain development houses, most of whom are legitimate bug bounty hunters, but some of whom are tempted to sell on to other threat actors (noting that in most countries, developing and selling an exploit chain is not a crime, only deploying it). And the activist space is improving; entities such as the International Consortium of Investigative Journalists or Bellingcat harness impressive digital forensic, research and data acquisition techniques (including the purchase of stolen or leaked data).

But the most prolific actors remain those organised crime groups, sat beyond or outside law enforcement control or backing, which lack major resources, but are capable of building and deploying malware at scale. In 2023, the global cost of cybercrime was estimated to reach £8.4 trillion annually, with organised crime groups responsible for a significant proportion of these incidents.

These actors can deploy a range of well-known and researched capabilities against networks and individual devices. Ranging from denial of service and brute force attacks, taking advantage of misconfigured hardware, software or infrastructure, poor policies and procedures, to social engineering and careful exploitation of known vulnerabilities. At the top end are zero-day, zero click exploit chains (those where there is no user interaction) against which there is no defence. Taking advantage of as yet undiscovered vulnerabilities, these chains allow the most capable and well-resourced actors to compromise internet facing devices and networks. And this is without considering the insider threat, or considering the unknown, and possibly transformative, effect which Large Language Models, Generative Adversarial Networks, and AI more broadly will almost certainly bring.

The good news

The future is certainly not all bleak, As noted by the 2023 Microsoft Digital Defence Report, good cyber hygiene, including correctly configured networks, access control, multi-factor authentication, along with training culture and awareness, will deter, disrupt or defeat 99% of attacks.

The UK government’s Cyber Security Breaches Survey 2023 also found that organisations that regularly update their software and enforce strong password policies see a 60% reduction in the likelihood of experiencing a cyber breach. This accounts for all but the highest end threat actors equipped with zero click chains, or state level infrastructure/backing, or an inside edge.

The overwhelming majority of criminal compromises are opportunistic and stem from poor practice or incorrect configuration and these can be defeated. And while it's true that most organisations aren't equipped to defend against such threats, nuanced strategies can mitigate the risk, such as layered defences, IPS/IDS, SOC/SIEM, robust threat intelligence, and collaboration with industry peers and government agencies (i.e. NCSC or JCSC).

The challenging news

Unfortunately, protecting against the highest end threats is resource intensive from a capital, people and time perspective.

It almost certainly requires high friction security practices which limit or prevent the flow of data, services and information. It can require layers of security from multiple providers.

This can be impractical if implemented wholesale and is often unaffordable. This is particularly pertinent as organisations, seeking expertise, understandably choose to outsource a variety of business functions to lower costs, create efficiencies and, in some cases, transfer risk.

Understanding and accepting the risks, and indeed benefits, of using third party providers at scale is a core part of meeting an organisation’s cyber security challenges.

Are you in the 1%?

For some organisations particularly those in the banking and finance world (albeit the lessons are universally applicable), there are few alternatives: cyber regulatory and compliance framework dictate technical standards which must be met and audited. But for many organisations, the key question becomes: are you in the 1% - is your organisation likely to be a target from a high-end actor? Do you need advanced protection and more rigorous security procedures?

Threat analysis and critical pathway analysis are useful in determining:

Is your organisation likely to be a target for a high-end actor?
What would critically damage your organisation if it were stolen, destroyed, or disrupted by a cyber incident?

This could include intellectual property (software, hardware, research, trade secrets); client lists (particularly for clients where privacy and anonymity are valued); personal and commercial data for clients who are under threat; and commercially advantageous information.

Accepting the risk

Risk acceptance and tolerance is key. Putting in place the right policies, training and procedures, as well as correctly configured, assured and audited systems deals with 99% of the risk. Moreover, appropriate business continuity planning, including remote backups, enables organisations to cope with mistakes.

Identifying your critical assets, whether IP, data, or hardware, and accepting the need for high friction security in some instances will be core. By accepting some risk and limiting what needs high friction security, organisations can remain agile, flexible, global and responsive. Organisations must also be honest with their customers, clients, or users about the levels of protection afforded. Transparency about what is secure, what risks are being accepted, what assurance has taken place, and where accountability lies, will build trust and socialequity, which can be spent if the situation changes, or your cyber defences are targeted and compromised. Ultimately, if you want to be agile, connected, responsive, you will be placing your organisation and data at risk.

The alternative to accepting and managing this risk is to shut down all data links to the outside world and that, ultimately is not an option. At BDO, we advocate for the importance of a comprehensive risk management framework, including risk identification, assessment, mitigation, and continuous monitoring. We can help with our Cyber Maturity Assessment (CMA) offering.

Managing the risk

At BDO Jersey, we offer an extensive range of cybersecurity services, with world class expertise, tailored to meet the unique and everchanging organisational needs of Channel Island and offshore businesses.

Our specialist team utilises leading tools and methodologies to pinpoint vulnerabilities, safeguard your assets, and empower your organisation to respond effectively to security incidents.

Our skilled team can advise on how to efficiently improve your cybersecurity posture, by focusing of what matters.

Our Advisory services encompass a range of tailored solutions, from high-level assessments to in-depth evaluations of security configurations. You can trust us to deliver the robust protection you need to navigate the cyber landscape with confidence and resilience, even in the face of ever-evolving threats.

Read more about our Cyber Security Services.

Contact us today to find out how we can help you manage your risks.

Allam Zia

Head of Management Consulting

View bio