17 May 2017 - For immediate release


The WannaCry globally-coordinated ransomware attack on 12 May 2017 puts the spotlight on the need for a change in organisations’ thinking about Cybersecurity;

The severity, nature and extent of cyber threats is so great that it can only really be addressed at Board level. Executive boards need to immerse themselves in the cyber issue and allocate sufficient resources to identify and ensure the effective management of cyber risks: a Board’s accountability includes the way organisations protect, detect, respond and recover;

Boards have to lift their organisations to the appropriate level of cyber resilience: this means going above and beyond employee behavioural change programmes and IT departments’ technical measures.


Brussels, 17 May 2017 – Last Friday’s attack originated in poorly protected workstations, showing that training employees is necessary but no longer sufficient. Cyber threats are more potent than most executive Boards recognise. Companies do invest in security technology - but discover all too soon that the technology is being persistently undermined by different attack methods.

Traditional information security methods are no longer enough to keep cybercriminals at bay. The severity, nature and extent of the threat has become so great that it should be addressed at executive Board level: here a strategic cyber threat model can be agreed – one that is based on a defence doctrine that takes the traditional ‘protect’ model one step further.

Danny Solomon is head of Cybersecurity Consulting at BDO Israel’s Cybersecurity Centre. He says: “Information security is proving to be a static concept in the way it is being implemented, even as preventative security. The persistent perimeter approach commonly adopted shows the delusion that has plagued security concepts since the building of the Maginot Line. Industry needs to move from securing concepts to defending concepts. Defence is a more dynamic concept because it incorporates the assumption that we have to detect and respond to an attack in real time, and we require various options with which to respond, depending on the objectives and methods of the attacker. Cyber defence assumes that technical measures will detect threats and repel attacks. This must be based on relevant threat intelligence, the preparation and testing of response measures and be maintained as part of a developed detection-response doctrine.”

Ophir Zilbiger, Partner at BDO Israel’s Cybersecurity Centre adds: “In a secure environment, executive Boards allocate resources and provide management with the tools to identify cyber risks and apply appropriate mitigation. Cyber-responsible Boards do not just check policy but also oversee and verify the implementation of cybersecurity measures to ensure their effectiveness.” At BDO, our global cyber security leadership group offers several proprietary models for supporting organisations in developing and improving their resilience posture. From establishing compliance and building a proactive approach, through the ongoing development of capabilities and effective security risk management, we work with our clients to quickly attain higher levels of maturity and resilience.

Shahryar Shaghaghi (USA), Head of International BDO Cybersecurity: “Ransomware presents a growing threat to every industry, but healthcare organisations are particularly vulnerable. Their digital transformation came late, and the simple reality is that many IT systems weren’t installed with cybersecurity in mind. Because many hospitals rely on end-of-life technology and may prioritise immediate data access over data security, cybercriminals have found their systems relatively easy to penetrate. Hospitals also don’t have the luxury of time: a ransomware infection that blocks access to critical medical data endangers patients’ health. In a scenario where patients’ lives are at stake, the only feasible option, paying the ransom or not, is an extremely tough dilemma.”


Note to editors

Service provision within the international BDO network of independent member firms (‘the BDO network’) is coordinated by Brussels Worldwide Services BVBA, a limited liability company incorporated in Belgium.

Each of BDO International Limited (the governing entity of the BDO network), Brussels Worldwide Services BVBA and the member firms is a separate legal entity and has no liability for another such entity’s acts or omissions. Nothing in the arrangements or rules of the BDO network shall constitute or imply an agency relationship or a partnership between BDO International Limited, Brussels Worldwide Services BVBA and/or the member firms of the BDO network. BDO is the brand name for the BDO network and for each of the BDO member firms.

The fee income of the member firms in the BDO network, including the members of their exclusive alliances, was US$ 7.6 billion in 2016. These public accounting, tax and advisory firms provide professional services in 158 countries, with 67,700 people working out of 1,400 offices worldwide.


For more information

Download PDF
Download PDF