Rise of the digital-savvy director

A host of high-profile data breaches in recent times have raised the importance of having an infrastructure in place to understand and mitigate the risks. However, the organisations that will really thrive in the future are those led by directors who understand the wider opportunities of the new digital world – as well as the risks…

the recent attack by cyber criminals on foreign exchange giant Travelex, which led to the business turning off all its digital systems and returning to pen-and-paper transactions, served as a stark warning to financial businesses that the threat of data breaches looms large – and in many forms.

Travelex is by no means the only organisation to fall victim to the hackers. A data breach at UK phone network TalkTalk in 2015 resulted in personal information including bank details and other data being stolen from more than 150,000 customers in a hacking attack estimated to have cost the company almost £80m. 

In the years since, the list of companies that have been targeted by hackers reads like a who’s who of international firms: last year, British Airways was fined £183m for a 2018 breach that exposed 500,000 customers’ data; and Fortnite, WhatsApp and Capital One were targeted in 2019. 

Given the threat, it is little surprise that regulators seek to punish companies that drop the ball – the BA fine was a record – but in many cases it is the cost of fixing the damage that hits firms the hardest. TalkTalk’s fine was £400,000, the total fallout cost them £77m.

“It’s not just about the fine, it’s about reputation – and putting things right,” says Mel Pardoe, Data Protection Officer at BDO in Jersey. “What cost [TalkTalk] a fortune was the mediation. They had to bring in a whole IT team, they had to get a PR team in to do damage limitation. And they will never really recover – a lot of people aren’t going to think about TalkTalk without thinking about that breach.” 

GDPR impact

With the onset of the EU’s General Data Protection Regulation (GDPR), data protection in the UK has emerged front and centre, and the need for companies to take it seriously has been enshrined in legislation. Under UK and Channel Islands law, Pardoe explains, data protection officers are now required to report directly to the highest level of management within a company. 

“The reason they’ve done that is just to raise the profile and raise the priority of data protection, because there’s no point having a data protection officer who doesn’t have access to the board,” says Pardoe. “You also can’t sack them for doing their job. They have to have a sufficient level of expertise and they have to have sufficient resource.”

Such regulations have been a boon to professionals such as Pardoe, who remembers a time when data protection had been – at best – an afterthought. In the past, she recalls, boards had often slotted accountants into the DPO role, or seen data protection duties handed off to a head of administration within a firm rather than its own specific area.  

“I think it was seen in the past as definitely not being the priority and definitely not having the ear of the board. You might have to go through several layers,” she says. 

But while huge data breaches have brought data protection to the forefront in terms of public attention and media coverage, there is still an element of “that would never happen to us”, says Richard Field, Dispute Resolution Partner at Appleby in Guernsey.

“They look to these big names and think: ‘Well, we are a tiny little trust company.’ But it doesn’t really matter: it goes all the way from nation states getting up to no good, to a staff member who sends out an address list to the wrong group of people,” he says.

Indeed, while major data breaches are being talked about at board level in the islands’ small and large firms, that may not yet have translated into an understanding of the risks. A company’s threat level, Field says, is typically always amber to red. 

If nobody is trying to steal from you, the only explanation is that you have nothing to steal. “The threats are evolving every week,” says Field. 

For Ed Shorrock, Director, and Malin Nilsson, MD, at Jersey firm Duff & Phelps, it is paramount that an appreciation of the need for digital transformation is shared by all members of the board. It isn’t as easy as simply hiring a millennial or investing in cyber security software (although these are both good ideas), it is about making sure that everyone in the upper echelons is on the same page. 

“All of these [data security issues] have to be lived and breathed by all members of the board. They have to be embedded in all of them,” says Nilsson. 

Many of the companies that the pair work with are involved in financial services, and financial services businesses still tend to be highly reliant on paper. Even when they manage to get the paper off their desks and into online systems, there is little idea of how to manage it, Shorrock says. 

Many banks, financial services houses and law firms are decades old, and have a technological infrastructure that has been built piecemeal, in some cases over generations. Only the newest firms are able to start from scratch, integrating cutting edge tech in the very fibre of the company. “A lot of the large banks are still operating on a patchwork of systems,” he says. 

Systems to simplify

Meanwhile, new technology is emerging every week in the financial services space that promises to overhaul and simplify business. This ranges from software that allows clients to upload documents rather than sending them by post, to programmes that allow banks and trust companies to have real-time data on their clients, a factor that could automate some – but by no means all – aspects of due diligence. 

“It is the use of technology throughout the business, and not just at the front end, which is what data transformation actually means,” says Nilsson. 

Chris Clark, Chief Executive Officer at Prosperity 24/7, says a warning sign for him when he is debating whether to work with a client on a digital transformation project is how willing the board is not only to be involved but to evangelise it within the wider company.

“It tends to be their investment in time that’s the giveaway,” he says. “It’s whether those in the executive team are making the head space for themselves and are working to put themselves forward.”

However, it isn’t all about the board. The businesses that are doing best in the new digital era are the ones that are investing in their workforce. It’s no good having the most up-to-date tech in the business, says Clark, if your staff are not trained to use it. And tech can help a firm give their employees back their greatest – and usually most scarce – asset: time. 

“People are massively overworked, massively overstretched. Stress levels are through the roof. People need to have time to do their jobs properly. Simple automation can save time. If we can give people back 30 minutes of their day, they will get more enjoyment out of it.”

It is an argument Clark feels he has to make often to assuage fears that an increase in use of tech in a company leads to a corresponding lack of headcount. Of all the projects he has been involved with over the past three years, he says, not one has led to job losses. In fact, in one case, a firm recruited 100 new staff when it brought a previously outsourced technology function in house, he recalls. 

Clark says the message that technology doesn’t necessarily mean job losses should come from the board – a further reason for board engagement. 

Recruitment boost

Being technologically savvy is also the best way to ensure firms recruit the best people. Today’s generation has a new set of work expectations, such as flexible working and the ability to work from home. That requires technological solutions, particularly where firms handle sensitive information. 

“It can be as basic as making it attractive for people to want to come and work for the company, working remotely and with flexibility around hours. That’s only possible if you have the right tech in place,” says Pardoe. 

Despite the increased focus on security, a new tech-savvy generation, and the ubiquity of tech in our lives, it is a source of frustration across the industry that boards so often revert to type when the going gets tough. In financial services in particular, says Shorrock, “it’s often a case of: ‘Can I see it? Can I feel it?’ That’s what happens at the board level”.

Despite all the changes, across the industry, there remains the feeling that all but a few boards are still not taking the issue of technology seriously. “It is frustrating as hell. You still get people who don’t accept it,” says Clark.

However, there are signs that the tide is turning, albeit slowly. “People are realising that if they are not leveraging technology, their business will die,” he adds.

And the same goes for data protection, says Pardoe, with boards now realising that rather than being the exclusive domain of the tech-heads in the IT department or a DPO, it is the role of the entire company to make sure they do not become the next TalkTalk or Capital One. 

“Data protection can’t exist in a silo,” she says. “I can’t think of many things a board is involved with that wouldn’t involve an element of data protection. If you think of it as something separate, that’s quite dangerous – and that’s where mistakes can happen. It needs to underpin everything.”