A PwC report shows what cybersecurity worries are concerning business leaders the most.
Cybersecurity breaches flooded the headlines in 2017, with enterprises of all shapes and sizes falling victim to various nefarious entities and individuals out to exploit poor security infrastructure.
Although major security breaches have become almost commonplace, many organisations are still struggling to manage emerging cybersecurity risks in a society in the midst of digital transformation.
On 18 October 2017, PwC launched its 2018 Global State of Information Security Survey (GSISS), based on responses from more than 9,500 senior business and technology executives from 122 countries around the globe, including Ireland.
40pc of survey respondents said that disruption of operations is the biggest consequence of a cyberattack, while 39pc cited the compromise of sensitive data, 32pc said harm to product quality and 22pc said harm to human life.
Better strategies are needed
Despite the awareness of the risks, companies are simply not prepared to deal with them. 44pc of those surveyed said they don’t have an information security strategy, with 48pc saying they don’t have an employee security awareness programme. More than half of the respondents (54pc) said that they do not have an incident response process in place for their business.
Pat Moran, cyber leader at PwC Ireland, discussed the report and noted the international trends that affect Irish businesses in particular. “Despite cyber risk now being a significant threat to Irish businesses, organisations are still failing to get the message, and are very slow to invest in the appropriate security measures.
He continued, explaining that most organisations “are ignoring areas such as cyber awareness and global standards, and focusing their limited resources in technology and infrastructure”.
Collaboration is key
Moran explained that technology and cloud solutions certainly have their place, but “having people aware of the latest threats, and being prepared to respond when incidents occur, is key”.
Ireland – and indeed Europe at large – is lagging behind in terms of formal collaboration with others in the industry to reduce the potential for future risks.
“While just over half (58pc) say they work with other companies globally, the European percentage is lower.
“Throughout the survey, we see a growing trend in the US where industries are collaborating with each other on the latest attacks, incidents and trends.
He continued: “However, Europe still has a long way to go to establish these communities to share intelligence and form a united frontier to fight cybercrime.”
The report recommends a collaborative approach across organisational, sectoral and national borders to identify, map and test cyber-dependency and interconnectivity risks as well as boost resilience and risk management.
Regulation is a major driver
A key catalyst in security strategy development in Europe is regulation, particularly in relation to personal data. Moran said: “Both Ireland and Europe have been very late to start their compliance programmes with the two major regulations in these areas, General Data Protection Regulation (GDPR) and Network Information Systems Directive (NISD).
“These regulations become effective from May 2018, which now means a lot of work for Irish organisations to get through between now and then.”
Moran also explained that top-level executives need to ensure that cybersecurity is a “regular part of their agenda, that they review their cyber strategy frequently and ensure that all key parts, including people and process, get their fair share of the budget”.
The report noted that many of the recent cyberattacks show there is often very little time to address an initial problem or vulnerability before it cascades. “Interdependencies between critical and non-critical networks often go unnoticed until trouble strikes,” warned Moran.
Meanwhile, there is a wide disparity in cybersecurity preparedness among countries around the world.
In the 2018 GSISS, the frequency of organisations possessing an overall cybersecurity strategy is particularly high in Malaysia (74pc) as well as Japan (72pc), where cyberattacks are seen as the leading national security threat. Based on PwC’s experience in Ireland, organisations are very slow to invest in appropriate security measures.
While many are concerned about cyberattacks from other countries, smaller nations such as Ireland are aiming to develop capabilities to match larger countries. In Ireland, we have seen the establishment of the National Cyber Security Centre in University College Dublin, which is dedicated to detecting global cyber threats that could impact on Ireland, and also supporting the effective response to such an event.
When cyberattacks occur, most victimised companies say they cannot clearly identify the culprits, with only 39pc of survey respondents saying that they are very confident in their identification of cyber threat. A more collaborative approach will help with threat detection for all organisations.
IoT risks are another growing danger in terms of cybersecurity, but only 34pc of respondents plan to assess these risks across their businesses. Unsecured IoT devices are creating major vulnerabilities that leaders must become more cognisant of.
Moran concluded by imploring leaders to view cybersecurity resilience as a critical element of their business from the top down: “Few business issues permeate almost every aspect of business and commerce like cybersecurity does today. Public-private coordination is critical to effectively addressing cybersecurity.
“The bottom line is that leaders can seize the opportunity now to take meaningful actions designed to bolster the cyber resilience of their organisations, withstand disruptive cyber threats and build a secure digital society.”
Updated, 7.57am, 8 January 2018: This article was updated to clarify when PwC launched its Global State of Information Security Survey.