44 percent of the 9,500 executives in 122 countries surveyed say they do not have an overall information security strategy; 48 percent do not have an employee security awareness training programme, and 54 percent don’t have an incident response process.
PwC has published its 2018 Global State of Information Security Survey (GSISS).
Executives worldwide acknowledge the increasingly high stakes of cyber insecurity. 40 percent of survey respondents cite the disruption of operations as the biggest consequence of a cyber attack; 39 percent cite the compromise of sensitive data; 32 percent cite harm to product quality, and 22 percent cite threat to human life.
Yet despite this awareness, many companies at risk of cyber attacks remain unprepared to deal with them. 44 percent say they do not have an overall information security strategy. 48 percent say they do not have an employee security awareness training programme, and 54 percent say they do not have an incident response process.
How cyber interdependence drives global risk
Case studies of non-cyber disasters have shown that cascading events often begin with the loss of power — and many systems are impacted instantaneously or within one day, meaning there is generally precious little time to address the initial problem before it cascades.
Interdependencies between critical and non-critical networks often go unnoticed until trouble strikes. Many people worldwide — particularly in Japan, the United States, Germany, the United Kingdom and South Korea — are concerned about cyber attacks from other countries. Tools for conducting cyber attacks are proliferating worldwide. Smaller nations are aiming to develop capabilities like those used by larger countries. And the leaking of US National Security Agency (NSA) hacking tools has made highly sophisticated capabilities available to malicious hackers.
When cyber attacks occur, most victimized companies say they cannot clearly identify the culprits. Only 39 percent of survey respondents say they are very confident in their attribution capabilities.
The soaring production of insecure Internet-of-Things (IoT) devices is creating widespread cyber security vulnerabilities. Rising threats to data integrity could undermine trusted systems and cause physical harm by damaging critical infrastructure.
Meanwhile, there is a wide disparity in cyber security preparedness among countries around the world. In the 2018 GSISS, the frequency of organizations possessing an overall cyber security strategy is particularly high in Japan (72 percent), where cyber attacks are seen as the leading national security threat, and Malaysia (74 percent).
Next steps for business leaders
What can business leaders do to prepare effectively for cyberattacks? PwC recommends three key areas of focus:
C-suites must lead the charge and boards must be engaged: Senior leaders driving the business must take ownership of building cyber resilience. Setting a top-down strategy to manage cyber and privacy risks across the enterprise is essential.
Pursue resilience as a path to rewards - not merely to avoid risk: Achieving greater risk resilience is a pathway to stronger, long-term economic performance.
Purposefully collaborate and leverage lessons learned: Industry and government leaders must work across organisational, sectoral and national borders to identify, map, and test cyber-dependency and interconnectivity risks as well as surge resilience and risk-management.