New opportunities, new risks – data security as an ESG issue in a hybrid working world

Although 2020 may feel far behind us, its legacy of pandemic-fuelled growth across the technology and communications sector continues to have significant implications for cybersecurity management. At the beginning of 2020, the shift to remote working meant that almost overnight, the world was catapulted into relying on digital platforms for virtually all human interactions. Such a radical change in how people worked day to day presented a fresh landscape for cyber-criminals to attack.  As a result, cybersecurity has evolved into an ESG issue as part of both the 'social' and 'governance' pillars.

The shift to digital

Three years on from the start of the pandemic, virtual meetings and video conference calls are very much here to stay. In some cases they are slowly evolving into augmented reality meetings in the metaverse. However, greater connectivity comes at a cost to security. Businesses struggle to balance the demands for flexibility and ease of use from workers, alongside the expectations of customers, regulators, and governments in relation to data security. This struggle for balance is increasingly viewed as an ESG issue, going to the heart of the workforce engagement challenges faced by many organisations. 

A threat to match the opportunity

During the pandemic we saw a massive increase in cyberattacks with multiple sources reporting that the first six months of 2020 saw as many attempted attacks as the entirety of 2019.

Although the nature of threat actor activity shifts from month to month, ransomware attacks and cyber incidents are unquestionably on the rise. For most organisations, the 'new normal' involves a hybrid approach consisting of remote and on-premises working. In some ways, this creates greater reliance upon a broader range of technology solutions which in turn, can result in increased vulnerability. Four in ten businesses responding to the UK government’s 2021 Cyber Breach survey reported experiencing some form of  cyberattack in the last year.

Attacks can be indiscriminate, with ransomware perpetrators casting a wide net and scooping up victims with systems vulnerabilities wherever they may be. However, alongside this relatively impersonal form of digital assault, there is also a growth in social engineering and phishing attempts where credentials are obtained or compromised through trickery and human or AI-based interventions.

Remote workers are less likely to have a secure network connection and are less likely to spot phishing and social engineering attempts and with a lack of immediate IT support to hand, they are more likely to take security short-cuts that place their organisation at risk.

Cyber in the ESG framework

Data security needs to be considered as part of  both the 'social' and 'governance' pillars of ESG. The governance association is obvious - information security and compliance with data protection regulations is a key focus of good governance in any organisation. Fostering a culture of compliance has obvious benefits and it's not hard to persuade the C-suite of the impact this can have on the bottom line. In its 'Cost of a Data Breach' report in 2022, IBM confirmed that the average ransom payment is $812,360 with the actual total cost of the ransomware attack closer to $4.5 million on average.

Not only do organisations stand to face regulatory fines, but reputational damage can also be difficult and expensive to recover from. In some respects the lack of novelty around sophisticated cyberattacks is starting to reduce the severity of reputational damage for victims in the eyes of the wider public, but even though attacks are common, a robust approach to cybersecurity is still one of the first things that businesses look for when taking on new vendors. It is also a major consideration for investors, so falling victim to an attack can impact the bottom line for years

The social nature of data security may initially be less obvious, yet it is becoming a worldwide concern. Some argue this is driven largely by financial concerns being re-branded as 'social' or 'conscious' investing.  Any organisation looking to raise funds will be acutely aware that it is imperative to prove to investors that you take data protection seriously and implement robust processes and procedures to protect against a security incident. There are also serious ethical concerns around the handling of cyberattacks. Despite government and regulatory discouragement, large numbers of corporate ransomware victims do pay some or all of the ransom request. Aside from concerns around sanctions breaching, which have to be carefully considered, company directors need to consider the ethical dimension to funding criminal activity when paying a ransom. If it is  business critical, the board may consider it has no other choice, but the undesirability of the situation cannot be denied.

Investors certainly view data security as an ESG issue with it coming in as the second most important factor after competition issues. It's not only the investors who are at risk of losing out financially. IBM recently reported that 60% of security breaches result in price increases being passed on to customers and end users. Exposing customers to price increases at a time of global inflation is not a tick in the box for good social practice.

It is also important to remember that while data, and often personal data, is the lifeblood of many businesses, individuals' rights are at the heart of data protection laws.  Failure to safeguard the data of individuals, whether employees, customers or others, is both a governance matter with serious potential regulatory penalties, and a matter of considerable social concern. Consumers are increasingly wary of how their information is used. The Open Data Institute's survey reveals that 87% of respondents feel it is important that organisations not only keep their personal data safe but use it ethically. When thought of in this way, it's clear that data security is actually a social issue at its core and giving priority to data security and ethics in any ESG framework can result in strengthened relationships and public perception.

Incorporating data security into an ESG programme is an approach that corporations, customers, investors, employees and regulators support. ESG is a competitive differentiator and can create value by minimising regulatory intervention as well as positively impacting an organisation's financial performance in the market. Data privacy and security should therefore play a prominent role in any company’s ESG policies and if they do not, it will be no surprise if consumers and investors take their business and their funds elsewhere.