Embarking on a digital transformation journey is rarely without cyber risk
Embarking on a digital transformation journey is rarely without cyber risk
Publish Date: 2026-05-17 23:51:00
Source Domain: www.thetimes.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
Cyber threats are always a concern for organisations that depend on technology for their services or processes. Adding a business or digital transformation into the mix can increase the risks, particularly when cybersecurity is not prioritised, integrated and managed from the very beginning.
The biggest risk, says Len McAuliffe, partner, cybersecurity, privacy and forensics at PwC Ireland, is that transformation increases complexity faster than organisations increase control.
“Businesses are moving data, processes and customer services across cloud, digital and connected environments at speed,” he says.
“That creates more dependencies, more access points and more opportunities for things to go wrong.
“A lot of the exposure sits around identity, third parties, legacy technology and weak visibility across the estate,” he adds.
“If an organisation cannot see clearly what it has, who has access to it and where its critical dependencies sit, it becomes much harder to defend. That is why cyber risk rises so quickly during transformation. The technology changes, the operating model changes and the attack surface changes with it.”
Contributing to the problem, says Brian Honan, founder of BH Consulting, is the fact that businesses often don’t see cyber risk as being a business risk, particularly when a digital transformation is involved.
“They see it as being an IT/digital risk without realising that a cyberattack or reliance on digital technology is a major business risk in the event that anything goes wrong.”
And things can go spectacularly wrong. Recent high-profile examples include a cyberattack on Marks & Spencer in 2025 that disrupted supply chains and resulted in the retailer’s online shopping being suspended for seven weeks, with its click and collect service down for even longer. The estimated cost to the business was £300m in lost sales.
Elsewhere, an attack on Jaguar Land Rover at the end of August 2025 led to production being shut down at all plants for six weeks. The incident is estimated to have cost the carmaker in the region of £200m with a £1.9bn financial impact on the wider UK economy.
“The risk many companies now face, because they rely on technology, is that any outage to that technology — be it accidental or deliberate — could have a significant impact on the business,” Honan says.
“This comes back to it being a business risk and not just a technology risk. Can your business survive if all your IT systems are down for a day, a week, or a month?”
McAuliffe says there have been many high-profile incidents where organisations have suffered serious disruption after moving quickly to new platforms, expanding digital services or becoming more dependent on interconnected suppliers.
“The details differ, but the underlying pattern is familiar. Access has been widened, legacy and modern systems have been tied together, external dependencies have grown, and the security controls have not kept pace.
“That is how businesses end up dealing with ransomware, data breaches and prolonged outages. In some cases, the weakness has been poor identity controls. In others it has been an unpatched system, an exposed cloud environment or a supplier with too much access and too little oversight.
“What these incidents show is that transformation can concentrate cyber risk quickly if it is not managed with discipline from the outset.”A good cybersecurity programme is one that is grounded in the business, he says.
“It starts with a clear understanding of what the organisation is most dependent on, where the biggest risks sit and what level of disruption it can absorb.”
Honan agrees.
“You can’t protect everything. The key thing is to focus on the systems and services that are most important. If those are being provided to you by third party vendors, cloud providers or other external providers, ensure that you’ve assessed the cyber risk in that supply chain.”
Translating understanding into action means strong identity and access management, disciplined patching and vulnerability management, protection of important data, effective monitoring, tested response plans and proper oversight of suppliers.
“It also means leadership engagement,” McAuliffe says.
“The organisations that handle cyber risk best are the ones where it is treated as a business issue, with operational and strategic consequences, not just as a matter for the IT/security teams.”
Integrating security from the start rather than as a bolt-on is also vital.
“Too often we see clients who have implemented major digital changes that have been successful and beneficial to the business, but left cybersecurity as an afterthought,” Honan says.
“Then, if any issues happen, whether uncovered by their own team or through a cyber breach, they realise that significant investment is required to remedy it.”
The early design decisions in any transformation programme determine how secure and resilient the result will be, says McAuliffe.
“If security is treated as something to be added later, organisations often build in weaknesses that are expensive and disruptive to fix once systems are live.
“Embedding security at the beginning leads to better decisions on architecture, access, data protection, supplier management and compliance. It also reduces the likelihood of delays, rework and avoidable risk further down the line. More importantly, it helps ensure that transformation delivers value without undermining trust in the business.”
It’s also worth bearing in mind that, in many cases, assessing risk and integrating robust cybersecurity measures are a legal requirement.
“If you’re bringing a new digital process or project into your business and if it processes personal data, you are legally required under the EU General Data Protection Regulation to do a data protection impact assessment at the start to ensure you’re not infringing on the privacy and other rights of individuals, and that you’ve built privacy and security in by design and by default,” Honan says.
Other EU cybersecurity regulations include the NIS2 Directive, the Cyber Resilience Act and the Digital Operational Resilience Act and target specific risk areas and sectors.
“There’s a lot happening in the field which means that companies need to take cybersecurity very seriously as part of their digitisation projects,” Honan concludes.
