EY refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.
Recent Searches
A few years ago, it was ransomware. Today it’s social engineering. The methods of attack may change, but the principles used to identify and manage cyber risks to your organisation should not. That’s the lesson many consumer-facing businesses are yet to learn.
Beer or broadband, the risk plays out differently
Consumer-facing companies span everything from fast-moving consumer goods with tight margins and shelf-life pressures to highly regulated telcos. The impact of a breach in these companies varies: it’s unlikely people will stop drinking their favourite beverage because the manufacturer was hacked. But a single breach in a telco can erode brand trust for years.
Despite their differences, all consumer-facing businesses face the same challenge, where Cyber is a top risk.
The 2025 EY Global Cybersecurity Leadership Insights Study, which surveyed more than 550 executives worldwide, showed that nearly two-thirds (63%) of consumer and retail CISOs say it’s hard to articulate their value beyond risk protection. This makes it even harder to win leadership focus and budget.
AI hype meets hygiene reality
Many organisations are running headlong into AI, racing to roll out use cases without thinking through the cyber implications.
The data from the EY study bears this out: 67% of consumer and retail CISOs say they’re either not consulted, or consulted too late, when urgent strategic decisions are being made. By then, the risks are already baked in.
That’s why many consumer businesses are still wrestling with basics like identity controls and data classification, long before they’re ready for AI.
From cost centre to value creator
Good cyber practice is like travel insurance. Nobody wants to think about it until something goes wrong. But by then, it’s too late.
When cyber is treated as an afterthought, it’s only ever seen as a cost. But embedded from the start, it becomes central to new value creation.
The numbers back this up: cybersecurity typically contributes 11%–20% of the value in major consumer and retail initiatives.
Leaders who embed cyber across the business – those we call ‘Secure Creators’ – are more likely to improve customer experience (74% vs. 35% of their peers) and enhance brand perception (84% vs. 75%). They are also more likely to support AI implementation (68% v 45%).
In other words, cyber doesn’t just keep your business safe. It helps you move faster, earn more trust and get more value out of the very initiatives that drive growth.
Same principles, greater value
Whilst attack methods will keep changing, cyber risk management principles don’t: continuously identify risks in partnership with your business, design the right controls up front, monitor their efficacy and manage as the landscape shifts.
What does change is the upside. The EY study shows 73% of Secure Creators expect their ability to add enterprise value to grow. This is precisely because they know how to articulate that value to their business leaders, even as new threats emerge.
This is the second in a five-part series, Cyber at the speed of machines. If you missed it, check out my colleague Richard Bergman’s overview on why business must rethink its defences. And keep an eye out for the third instalment on the energy and resources sector with Clement Soh.
The views expressed in this article are the views of the author, not Ernst & Young. This article provides general information, does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Liability limited by a scheme approved under Professional Standards Legislation.