Massive cybersecurity breaches have become almost commonplace, regularly grabbing headlines that alarm consumers and leaders. But for all of the attention such incidents have attracted in recent years, many organisations worldwide still struggle to comprehend and manage emerging cyber risks in an increasingly complex digital society.
PwC launched its 2018 Global State of Information Security® Survey (GSISS), based on responses of more than 9,500 senior business and technology executives from 122 countries.
According to the survey, executives worldwide acknowledge the increasingly high stakes of cyber insecurity. Forty percent of survey respondents cite the disruption of operations as the biggest consequence of a cyberattack, 39% cite the compromise of sensitive data, 32% cite harm to product quality, and 22% cite harm to human life.
Yet despite this awareness, many companies at risk of cyberattacks remain unprepared to deal with them. Forty-four percent say they do not have an overall information security strategy. Forty-eight percent say they do not have an employee security awareness training programme, and 54% say they do not have an incident-response process.
Cyber interdependence drives global risk
Case studies of non-cyber disasters have shown that cascading events often begin with the loss of power-due to which many systems are impacted instantaneously or within one day, meaning there is generally precious little time to address the initial problem before it cascades. Many people worldwide-particularly in Japan, the United States, Germany, the United Kingdom and South Korea-are concerned about cyberattacks from other countries whilst the tools for conducting cyberattacks are proliferating worldwide. It’s also worth noting that the leaking of US National Security Agency (NSA) hacking tools has made highly sophisticated capabilities available to malicious hackers.
In May 2017, G-7 leaders pledged to work together and with other partners to tackle cyberattacks and mitigate their impact on critical infrastructure and society. Two months later, G-20 leaders reiterated the need for cybersecurity and trust in digital technologies. The task ahead is huge, since rising threats to data integrity could undermine trusted systems and cause physical harm by damaging critical infrastructure.
Next steps for business leaders
So what can business leaders do to prepare effectively for cyberattacks? PwC recommends three key areas of focus:
Role of senior executives and boards of directors: Senior leaders must take ownership of building cyber resilience. Setting a top-down strategy to manage cyber and privacy risks across the enterprise is essential.
Resilience not merely to avoid risk: Achieving greater risk resilience is a pathway to stronger, long-term economic performance.
Purposefully collaborate and leverage lessons learned: Industry and government leaders must work across organisational, sectoral and national borders to identify, map, and test cyber-dependency and interconnectivity risks as well as surge resilience and risk-management.