The Strategic Risk of Cybercrime: Prevention Deserves the Highest Priority

As featured in IT Pro Portal, Information Age, Data IQ Online, and Network Security By Co-Founder, and Commercial Director, Matthew Eddolls  The threat of cybercrime continues to evolve and grow as criminals adapt to new security measures and exploit changes in our online behavior. The only constant is our vulnerability: whatever new steps are taken,…

Lucy Montague Avatar
Lucy Montague
blurry city lights

By Co-Founder, and Commercial Director, Matthew Eddolls 

The threat of cybercrime continues to evolve and grow as criminals adapt to new security measures and exploit changes in our online behavior. The only constant is our vulnerability: whatever new steps are taken, by companies or individuals, the criminals always seem to stay one step ahead.

This isn’t an even contest. Hacking and online fraud are difficult to combat because so much of it originates from multiple overseas jurisdictions.

  • In 2015, 25% of large firms and around 15% of smaller businesses reported network penetration by unauthorized outsiders. Additionally, 90% of large firms experienced a security breach of some sort, with a median number of breaches at 14. These figures only represent detected incidents; the true numbers of IT Risk are likely far higher.
  • Many companies are turning to cyber insurance to mitigate risks, but defining liability in a breach is often complicated, making coverage uncertain. Moreover, insurance does little to curb the growth of cybercrime; it merely shifts the financial burden.

Challenges of regulation and technology

The EU’s General Data Protection Regulation (GDPR) places responsibility for protecting personal data on businesses of all sizes, including hosted service providers. While it increases breach notifications and imposes larger fines on guilty parties, it is unlikely to reduce cybercrime significantly. Instead, heightened enforcement might drive criminals toward softer targets.

Emerging technologies such as advanced encryption, two-factor authentication, and password managers can improve defenses against current threats. However, as these technologies become widespread, cybercriminals often pivot to exploit new vulnerabilities, repeating familiar patterns. To stay ahead of these criminals, businesses must rethink their strategies.

Business leaders must take the lead

Cybercrime poses a significant threat to all organizations, regardless of size or type. Unfortunately, many businesses are underprepared:

  • Only 37% of companies have a cyber incident response plan, according to PwC’s Global Economic Crime Survey.
  • Fewer than 50% of board members have ever requested information about their organization’s cyber readiness.
  • As of 2015, 32% of organizations had never conducted a security risk assessment.

This lack of awareness and governance exposes businesses to significant risk. Technology is integral to nearly all business operations, and the interconnected nature of these systems makes sensitive data and intellectual property accessible to cybercriminals. A single breach can result in replicated and widely distributed data, with long-term consequences that may threaten business viability.

A strategic approach to cybersecurity

Cybercrime is a serious strategic risk, and prevention and mitigation deserve the highest priority. Unfortunately, many business leaders mistakenly view cybersecurity as an IT issue rather than a company-wide responsibility. This reflects a fundamental misunderstanding of the threat, which is closely tied to user behavior.

Effective risk management for cybersecurity should follow the same principles as managing any other strategic threat:

  1. Understand vulnerabilities: Identify what makes your organization an attractive target and pinpoint key vulnerabilities.
  2. Assign responsibility: Break down tasks and assign them to the right individuals, ensuring senior-level visibility.
  3. Monitor and audit: Continuously test and audit all measures to ensure their effectiveness.

Ultimately, businesses must embed cybersecurity into all their processes. While this won’t stop cyberattacks, it can minimize losses and improve resilience.

Learn more about our security platform

The changing landscape of cybercrime

Cybercrime has become hugely profitable for organized criminals, spurring constant innovation and change in attack methods. One recent trend is the rise of sophisticated malware toolkits that require minimal technical expertise. Criminal masterminds can license these tools to others in exchange for a share of the proceeds.

With hacked personal data readily available in online marketplaces, cybercriminals have proliferated. The borderless nature of the internet allows perpetrators to focus on the easiest, most lucrative targets, often overwhelming crime-fighting agencies.

Want to transform cyber resilience into strategic advantage?

Read our value-based grc guide

Frequently Asked Questions (FAQs)

1. Why is cybercrime a strategic risk for businesses?

Cybercrime poses a significant threat to sensitive data, intellectual property, and business viability. Breaches can result in financial losses, reputational damage, and regulatory penalties, making cybersecurity a critical aspect of risk management.

2. What role do business leaders play in cybersecurity?

Business leaders must recognize that cybersecurity is not solely an IT issue but a company-wide responsibility. They should ensure that risk management processes are in place, assign clear responsibilities, and regularly monitor and audit defenses.

3. What are the key steps to managing cybersecurity risks?

Key steps include identifying vulnerabilities, assigning responsibilities, monitoring actions, auditing defenses, and embedding cybersecurity into all business processes.

4. What makes organizations attractive targets for cybercriminals?

Factors such as valuable data, weak security measures, and untrained employees make organizations attractive targets. Cybercriminals prioritize ease of access and potential financial rewards.

5. Can cyber insurance fully mitigate the risks of a breach?

Cyber insurance can help offset financial losses but does not address the root causes of cybercrime or reduce its occurrence. Liability and coverage disputes can also complicate claims.

By addressing these questions, organizations can better understand the evolving risks and take proactive steps to protect themselves from cybercrime.

About Matt Eddolls

Matt is a co-founder and Commercial Director at CoreStream GRC. With 15 years of experience in risk system implementations at Deloitte and Accenture, Matt brings a strong background in guiding institutions through large-scale risk transformation programs. Since co-founding CoreStream GRC in 2004, he is driven by his commitment to ensuring projects stay on budget and deliver real business value. Outside of work, Matt enjoys photography, racing on the track, and spending time with his wife and daughter.

Connect with Matt on LinkedIn here.

  • What CoreStream GRC is watching at the HCCA 2026: compliance trends to be aware of

    What CoreStream GRC is watching at the HCCA 2026: compliance trends to be aware of

    The 30th Annual Compliance Institute is coming to Orlando April 27-30, 2026, with a virtual option April 28-30.   This is where healthcare compliance teams go to pressure-test what “good” looks like in practice. When enforcement risk is real, audits are relentless, privacy and security expectations keep shifting, and the business still has to move.  What is the Health Care Compliance Association (HCCA)?  HCCA is a US nonprofit that supports healthcare compliance…

  • Designing your dream GRC home part 3: security and access

    Designing your dream GRC home part 3: security and access

    By Head of Client Solution Design, Lionel Matsuya In the first two articles of this series, I explored 2 foundational aspects of Governance, Risk & Compliance (GRC) solution design: understanding organizational needs and stakeholder expectations, and designing effective connectivity between risk, control and assurance functions.  In this 3rd blog, I focus on security and access: not in the narrow sense of cyber or technical controls, but as a core…

  • From compliance to confidence: a practical guide to a proactive always on data privacy program

    From compliance to confidence: a practical guide to a proactive always on data privacy program

    Most large organizations say they have privacy covered. And on paper, they do. In practice, privacy often lives as disconnected work: documents, templates, and one-off reviews that prove something happened once, not a system that controls what happens next. That gap matters because privacy risk is created by change. A new analytics use case. A…