-
Privacy and Data Protection
Our digital risk team is made up of a combination of subject matter experts and technical specialists who can help your business comply with the GDPR.
-
Governance, Risk and Compliance (GRC)
While business goals and strategies evolve, our services support you wherever you are in your business cycle. The digital economy is simultaneously increasing the magnitude of new business opportunities while increasing the difficulty of getting it right.
-
ISO 27001 and ISO 27701
Grant Thornton’s ISO 27001 and ISO 27701 specialists will arrange and oversee the formal audit process.
-
SOC 1,2,3
As a service organization there are many ways to provide assurance to your customers and in turn other stakeholders over your control environment. One of the most effective and cost-efficient ways is to issue a Service Organization Control (SOC) Report.
-
Incident Response
Grant Thornton’s Cyber Incident Response Team can support your business in the event of a cyberattack or data loss event. We work alongside your existing IT and Legal teams to provide a co-ordinated, timely and efficient investigation and remediation.
-
Hacking Services
At Grant Thornton, our cyber security experts can develop a bespoke penetration testing plan to meet your business needs and unique IT environment. We can undertake the full suite of testing or conduct individual assessments, as required.
-
Cyber Health Check
Approximately 54% of organizations report that they have experienced at least one cyber-attack during the past year. Grant Thornton’s cyber health check provides you with an objective, jargon-free assessment of your current cyber security, drawing on both qualitative and quantitative elements.
-
Dark Web Threat Intelligence
We use a variety of dark and deep web monitoring tools that continuously scans illegal sites to discover any mention of your data, ranging from breached security credentials such as usernames and passwords to leaked confidential documents of your company.
-
Digital forensics and electronic discovery
We offer a full suite of digital forensics and data acquisition services in investigations related to cybercrime, disputes, fraud and regulatory investigations.
-
Insolvency
If you're facing a time of personal or corporate financial crisis you need advice from someone who listens, who understands your specific issues and deals with them in a supportive and sensitive manner.
-
Crisis stabilisation and turnaround
In periods of financial distress, management teams often face considerable challenges, with many directors having little or no experience of similar conditions.
-
Operational and financial restructuring
Companies challenged by underperformance often need support in identifying options for financial or operational restructuring. Tapping this type of advice helps them create a stable platform for business turnaround.
-
Accelerated M & A
Even fundamentally sound businesses run into difficulties. Cash flow can come under pressure from the loss of a big client, or a dip in performance can threaten a breach of banking covenants if there is insufficient headroom.
-
Indirect Tax
Our experienced VAT specialists are available to assist companies and entrepreneurs of all industries and sizes in meeting their obligations.
-
Direct Tax
We can help you ensure a bespoke balance between tax compliance and effective tax planning for your special circumstances.
-
Ημερίδα Γνωριμίας με την Grant Thornton Κύπρου
Σας προσκαλούμε σε μια μοναδική ευκαιρία να γνωρίσετε την Grant Thornton Κύπρου! Την Τρίτη, 5 Νοεμβρίου 2024, θα έχετε τη δυνατότητα να συναντήσετε την ομάδα μας, να ενημερωθείτε για επαγγελματικές ευκαιρίες και να εξερευνήσετε πιστοποιήσεις όπως ACCA.
-
Life at Grant Thornton
At Grant Thornton Cyprus, we are taking a holistic approach and reimagining the way we work, continually assessing it and making necessary changes to better support our people.
-
In the community
Unlocking the potential for growth in our local communities.
-
Diversity and inclusion
Diversity helps us meet the demands of a changing world. We value the fact that our people come from all walks of life and that this diversity of experience and perspective makes our organisation stronger as a result.
-
Global talent mobility
One of the biggest attractions of a career with Grant Thornton Cyprus is the opportunity to work on cross-border projects all over the world.
-
Learning and development
At Grant Thornton we believe learning and development opportunities allow you to perform at your best every day.
-
Our values
We are a values-driven organisation and we have more than 56,000 people in over 140 countries who are passionately committed to these values.
Digital risk: Technology is no silver bullet
25 Aug 2019Businesses have ploughed billions of dollars into technology that promises to keep cyber threats at bay. Gartner[1] claims that end-user spending for the information security market is estimated to grow at a CAGR of 8.5% between 2017 and 2022, reaching $170bn.
While technology undoubtedly plays a major role in combating digital threats, other areas have been neglected. Tellingly, mid-market business leaders surveyed in Grant Thornton’s International Business Report (IBR) say that over-reliance on software is their weakest point in managing cyber and privacy-related threats.
It’s encouraging that business leaders acknowledge this. But now they must act, by improving their employees’ awareness and specialist skills in cyber security.
This doesn’t necessarily mean spending more money. In many cases, companies will be able to taper technology spending as they strengthen and invest in their business acumen, processes and in-house skills.
Customer trust is built on more than technology
“It is essential that businesses understand that investing in technology alone is not the only answer to reducing digital risk, and it will not protect them from losing customer trust should the worst happen” says Mike Harris, partner, cyber security services, Grant Thornton Ireland. “A key starting point for companies is understanding the type of business they’re in, and the value they deliver to the customer”. Once this is understood, companies will have a clearer idea of the potential impact a breach would have on that relationship, and can better work out how to mitigate this, through a range of measures. Internal governance, processes and people are the other crucial ingredients here.
Take a casino chain as an example. Many casino customers are high-net-worth individuals, who take the security of their financial data – such as transaction history and payment information – extremely seriously. The casino can have the best technology systems in place to protect this data, but it is not enough in isolation. The company must have robust governance procedures, customer relationship managers and trust policies in place to complement the technology and to protect the company’s reputation in the event of a breach. In this example, the value the casino provides to its customer revolves around customer service, trust and entertainment – with technology acting simply as an enabler to make this happen. Therefore, the company’s approach to digital risk must mirror this – with robust trust procedures around in place, complemented by top-class technologies.
Boosting awareness of human risk management
Understanding that there is more to managing digital risk than relying on technology is just the first step. Companies must then take a number of non-tech measures to protect themselves.
New ways to raise awareness
Companies might be investing in sophisticated cyber security technology, but that won’t necessarily prevent the human error that’s behind many cyber breaches. After all, it’s the human workforce that responds to phishing emails and installs unauthorised software.
Managers can address this by increasing awareness of cyber security issues across the business. But how to do this effectively? Businesses have been running cyber security webinars and mandatory training programmes for many years, yet human error continues to open them up to cyber attack. A new form of education is necessary.
Christos Makedonas, technology risk leader at Grant Thornton Cyprus, says that shorter training formats would help. “No one has time to watch hour-long training videos,” he says. “They should be shortened to a maximum of two minutes. You also need visual reminders – such as banners around the office and messages on screens – to remind people of best practice.
“Businesses should then simulate phishing attempts, and the employees that respond to them can then be given further training. We’ve found these sorts of training programmes to be much more successful than conventional webinars.”
Identify vulnerabilities first, invest later
Businesses need to understand where they are vulnerable to cyber attacks and data-protection breaches before investing in preventive software. This requires specialised skills that most cyber security functions don’t have.
“Businesses need cyber security and privacy-related skillsets to help map out their data and understand their regulatory requirements – particularly in a cloud environment,” says Harris. “They also need cyber technology skills around the technologies they are using.
“For example, if you are using cloud services provided by Amazon or Azure, you need to have the security skills in house to work out what they will and will not do regarding cyber security. That skills component is often overlooked.”
Advanced analytical tech needs advanced analytical minds
Many businesses have invested heavily in advanced analytical cyber security technologies that help identify new threats and vulnerabilities. But these are only as good as the workforce that can interpret the results and implement corresponding changes.
“Lots of people look to technology as a silver bullet, but it isn’t,” says James Arthur, partner, head of cyber consulting, Grant Thornton. “Many companies spend a lot of money on AI-driven, behavioural analytics cyber security software, which can be really useful in some circumstances. However, you normally need to spend an awful lot of human time training it to ensure it delivers useful insights. Then, you need a human at the end of that chain who can look at the output and make/approve changes.”
Insure against the inevitable
“There are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
These are the words of former FBI director Robert Mueller back in 2012.
His message is clear – and just as relevant today as it was seven years ago: a breach is inevitable. It makes a strong case for investing in insurance as another way to manage digital risk.
“Any reasonable cyber security programme has to have an element of detection, response and insurance, because cyber events will happen,” says Harris. “We see increased adoption of insurance that covers both cyber attacks and data privacy regulatory breaches. But while it’s imperative and its use is increasing, the majority of businesses still don’t have this type of insurance or aren’t protecting the right data assets.”
Understand your most valuable data assets and protect accordingly
Businesses should undertake a structured programme to assess and understand their data assets, using a categorisation and classification process. Then, they can identify their ‘crown jewels’ and invest in appropriate insurance cover.
But how do you do this? One way to identify your most critical data is to think like a hacker and then consider the maximum damage they could cause. “The current data security environment is consistently evolving with new threats and vulnerabilities,” says Harris. “Leaders have to be willing to step into the shoes of cyber criminals, understand the threats these groups pose and come up with proactive strategies to protect their business’ interests.”
Which email threads could a former employee leak to embarrass their former managers? What intellectual property and trade secrets would be of interest to a foreign power? And how might a cyber criminal use your data to try to extort money from your business? These are just some of the questions you need to ask before purchasing insurance as part of your digital risk management plan.
Five recommendations for balanced cyber risk management
- Companies must understand that the increasing amount of data that customers share with brands means that trust is more important than ever. It’s essential that businesses understand the necessity of trust management, and that digital risk policies and procedures go a long way to ensuring this.
- Traditional approaches to cyber training are not working. Businesses should develop shorter, more frequently distributed training videos and simulate phishing attempts to better educate their workforces.
- Businesses need to identify and map out their digital vulnerabilities. They need to recruit staff with specialised cyber skills that complement cyber security technical skills. This will ensure that their investment in preventive software is focused on the right areas.
- All businesses will suffer a cyber attack – no matter how much they invest in preventive software. Investing in insurance can bolster your risk management but it is crucial to insure your most valuable data assets and explore specific insurance that covers both cyber attacks and data-privacy breaches.
- Once insurance is secured, businesses must be vigilant about adhering to the terms and conditions. If they fail to install updates, it could nullify the insurance.
These recommendations must be implemented in the context of businesses’ specific digital risk environments. The first step for business leaders is to understand their specific vulnerabilities and threats. Only then can they implement the most relevant technologies, training initiatives and insurance coverage.
[1] Gartner Forecast for Information Security Worldwide, 2016-2022