Such data might include that concerning employees, pensioners, donors, members of an organisation, bank account holders, home owners or the holders of a variety of vital personal documentation. Wherever personal data is held, the organisation concerned is attractive to cybercriminals.

Such data might include information which is confidential because it relates to health, origins, or privacy. There are several other reasons: it might be confidential for reasons of security; it might portray an individual in a light which would damage their public image; it might be the subject of legal proceedings; it might, if revealed have a negative financial impact. Information which an individual or organisation does not want made public can be used as the basis for blackmail.

Such data might include information which is valuable because it concerns innovation or unique record sets or complex formulae or the latest developments.

An organisation might, by virtue of its operations, its stated views or its political associations, become attractive to "hackivists". In this way it might also become attractive because it symbolises a particular part of society.

Organisations that provide services to other organisations often have access to systems, databases, sensitive and confidential information. This could include, for example, law firms, accountancy firms, IT outsourcing companies. It is easier to attack one organisation which is a route to several others than to attack them one by one.

An organisation which is publicly perceived to have weak cybercrime defences might be attractive because it is seen as a soft or easy target - one where the risks are low but the potential gains are high. Perversely, an organisation which is publicly perceived to have secure cybercrime defences might also be attractive because it could be seen as a challenge where cybercriminals could test their expertise.

An organisation’s public profile/brand may be well-known with the general public, within specific sectors, and/or within specific sub-sectors or local geographic areas.

Brands may be well-known for good reasons, such as a reputation for quality work, or for bad reasons, such as a reputation for facilitating tax evasion. Organisations with a well-known brand and a positive public profile will have more to lose than organisations with a well-known and negative public profile.

How quickly could your organisation's income sources be impacted by an adverse cyber incident? For example, could your customers quickly and easily switch to one of your competitors? Income sources secured for the medium term are likely to be less vulnerable to adverse cyber incidents.

Personal, financial, legal, commercial data could, if stolen, be used for a variety of criminal purposes. For example, personal and/or financial information can be used to commit fraud, legal information can be used for blackmail/extortion, and commercial information can be used to obtain an unfair competitive advantage.

Organisations are often expected, by virtue of their function, to be highly cyber secure. For examples, donors may reasonably expect that charities ensure personal information is stored securely. Commercial organisations are typically expected by customers to ensure contractual information remains confidential. Investors expect that valuable intellectual property is stored securely.

Does your organisation sell or have a wider responsibility for data or technology services? If so a cyber breach could be particularly damaging reputationally.

Some organisations may incur immediate financial damage due to, for example, lost revenue, payments for damages to clients, reduced donations.

This would include considering and planning the extent of your online presence (rather than it just being allowed to grow); the number, type and ownership of specific devices which are connected; and the distribution of its assets (i.e. where data and systems are located to make it harder for cybercriminals to succeed by attacking a single location); and the type of data collected.

Organisations that control and / or process personal information are commonly subject to data protection requirements. Organisations that fail to meet such requirements may be subject to fines for data breaches.

Penetration testing, also known as ‘ethical hacking’, enables cyber security systems and processes to be tested. Independent, specialist and accredited penetration testers can test whether your cyber security is keeping pace with evolving cyber threats.

Regular data back-up is a key component of cyber resilience, providing the ultimate backstop in the event of a significant adverse cyber incident. Back-ups should be held securely, in multiple locations, and be ring-fenced from organisational networks.

Cybercrime awareness includes the extent to which staff understand their role in protecting the organisation from cybercrime and adverse cyber incidents. It also includes the extent to which insider vulnerabilities have been assessed, appropriate access permissions and controls have been implemented, and whether potential staff are vetted.

An adverse cyber incident can have significant disruptive impacts on an organisation, consuming time and energy at the expense of usual operational activity. Good practice is to have a crisis plan in place that covers how the crisis will be managed in the immediate and subsequent phases, by whom, and how normal operational activity will be maintained.

The initial stages of an adverse cyber incident are incredibly important. Organisations should have an agreed procedure to ensure resources are available to quickly and expertly respond and establish the extent of an incident, its origins, its likely/potential impacts, and how the situation can be recovered. Arrangements with external providers should be in place in advance of an incident.

The immediate impacts of an adverse cyber incident may be financial, but over the longer term the reputational impacts can be much more significant. Organisations should have a communications plan to ensure all stakeholders receive the communications they need when they need them. The plan should cover the immediate and subsequent phases after an adverse cyber incident to quickly and expertly manage, mitigate and recover from any reputational damage. Arrangements with external providers should be in place in advance of an incident.

Breaches of personal information may need to be reported to the relevant data protection competent authority. Organisations should have an agreed resource on call to quickly and expertly understand whether a breach has occurred, whether a regulator should be informed, and to mitigate the legal and regulatory response.

A major cyber breach can be expensive and disrupt normal business operations. Cyber-specific insurance can cover losses related to mitigating a breach, recovering to business as usual, and potentially fines levied by regulatory agencies.