Organisations aren’t doing enough to combat cyber crime, according to a pair of recently released PwC reports.
The 2023 Global Digital Trust Insights report found that more than 60% of senior executives believe they are not fully prepared to deal with cyber security risks, with gaps in their ability to identify, detect, protect, respond to and recover from data breaches.
Meanwhile, 40% of respondents to a separate report thought that cyber attacks posed a serious risk to their operations, and another 38% said the risk was moderate.
This makes cyber security the most cited risk, ahead of talent acquisition and retention (38%), and rising production costs (34%).
Perhaps not coincidentally, all three issues are related. There is an established skills shortage in the cyber security sector, with organisations struggling to find qualified candidates to fill the increasing need for information security personnel.
With such a high demand, cyber security experts can seek generous salaries and career opportunities, meaning organisations that are unable to provide these benefits will be left behind.
The problem is compounded by the recent economic downturn. Prices rose by 9.6% in the 12 months to October 2022, with the largest increases in electricity, gas and transport.
One way to combat these challenges is by cutting costs, and cyber security is often seen as a prime candidate. It doesn’t bring in revenue directly, and when it works properly, people fail to understand its importance.
As PwC indicates, organisations are concerned about their economic outlook in addition to cyber security threats, and talent acquisition and retention. But compromising on one will affect the others, putting organisations in a tough position.
What are executives worried about?
The 2023 Global Digital Trust Insights report outlines the steps that senior executives have taken to adapt to modern business practices. This includes enabling remote and hybrid working, accelerated Cloud adoption and the increased digitisation of the supply chain.
However, less than 3% of respondents said their organisation has fully mitigated the risks related to all initiatives. Although most organisations have taken some preventive measures, they have neglected others.
The risks related to the Internet of Things, for example, have been “slightly mitigated” by 14% of organisations. Elsewhere, 62% of businesses admit that they haven’t fully mitigated the risks related to remote and hybrid working, while that figure stands at 65% for Cloud adoption.
Senior executives said that specific security risks that they are concerned about include cyber criminal activity (65%), mobile devices (41%), email (40%), Cloud-based breaches (38%), business email compromise/account takeover (33%) and ransomware (32%).
Additionally, only 9% of respondents said they were confident that they could meet their regulatory requirements for disclosing a data breach.
For organisations in the UK and the EU, this refers primarily to Article 33 of the GDPR (General Data Protection Regulation) and its UK version, which states that in the event of a personal data breach, data controllers should notify the appropriate supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of the breach.
Addressing these challenges
The problems that organisations reported all have one thing in common: they have been introduced or exacerbated by the increased digitisation of the workforce.
PwC found that 54% of organisations have taken on more cyber risks as they pursue digitisation, and 44% have reported an increase in security breaches as a result.
To some extent, this is unavoidable. The pandemic and the rise in remote and hybrid working has forced organisations to become more flexible. They must communicate and share information virtually, which increases the threat landscape and introduces new risks.
This isn’t an insurmountable obstacle, though. Organisations simply need to ensure that their awareness of and response to cyber security risks keeps pace with their digital expansion.
According to PwC, the most common techniques for doing this are internal board training (47%), a greater emphasis on cyber security during board meetings (47%), improved reporting on cyber security incidents and practices (44%) and the appointment of a dedicated cyber security expert to the board (43%).
PwC urges organisations to “allot more time to the CISO and cyber matters on your agenda. Second, don’t settle for board reporting that doesn’t give you confidence and insights that the organisation is managing the cyber risks related to its strategic moves”.
It adds: “Cyber security is not an end state, so monitor how the company is making progress in its cyber posture and ability to defend against emerging threats. Ask to take part in exercises that help you understand your organisation’s cyber resilience.”
If you’re looking to bolster your organisation’s data protection practices, GRCI Law can help.
Our Privacy as a Service solution provides the tools and advice you need to create robust data privacy measures.
Led by a team of experienced lawyers, barristers, and information and cyber security experts, we will work with you to review your organisational setup and make recommended changes to enhance data protection.
This includes help with compliance monitoring, breach notification processes and data privacy management.