CEO Survey: Cyberattacks are no. 1 concern

Urs Küderli Partner and Leader Cybersecurity and Privacy, PwC Switzerland 31/01/22

Cyber risks lead the concern barometer again in this year's CEO Survey and were cited by 100% of respondents (global: 96%). Firstly, reports of cyber attacks are ubiquitous in the media. Secondly, a keener understanding of cyber attacks and their consequences has recently evolved. Many managers know people who have been affected in their professional network. 82% believe a cyber attack could make it impossible to sell products or services (global: 59%). Ultimately, the highly professionalised attackers target IT-based, business-critical processes such as sales, marketing, distribution or public relations – for example using extortion (ransomware). 

The numbers say it all

We hear about new cyberattacks almost every week. In 2020, 20,544 cases of cybercrime were reported in Switzerland, and 16,395 of these were classified as cyberfraud. Medium-sized Swiss companies suffer average damage of about CHF 6 million per cyberattack. However, the amount of damage is increasing rapidly. When the entire IT infrastructure gets encrypted, the average is over CHF 100 million. And the number of unreported cases is a lot higher, because most cases are still not reported. To put this in proportion, a Swiss company suffers ransomware attacks every 11 seconds on average. All companies are potential targets, irrespective of size or "importance" - around one-third of all SMEs have been already victims of cybercrime. Today, this threat mainly affects companies that have not been on the cybercriminals' radar, which means they're unprepared.

Incidents and understanding have increased

Cybersecurity is the threat that the CEOs in our survey are most worried about – all of them named it – and this is not only because hacking is mentioned so frequently in the media. People have gained a deeper understanding of cyberattacks and their consequences during the last two years. A lot of managers know people from their own professional networks who have been affected. However, most managers still have little idea how to counter the threat or where investments would achieve the fastest and best results. CEOs know how long it can take to close gaps in their companies’ defences that date from the past. There is no solution giving 100% protection, but most importantly: having sufficient resilience in the event of a cyberattack does not equate to having good security. How to seamlessly manage a cyber incident must be planned for, implemented and rehearsed. Security requirements must be adapted to the threat, and the corresponding technical and personnel resources must be available.

Striking the major arteries

83% of the CEOs in our survey say they believe that cyberrisks could damage their companies’ sales, marketing, distribution and public relations. This is understandable. Today’s cyberattackers try to cripple companies by shutting their IT systems down completely – and this causes their business-critical processes to fail. So, if a company’s production processes are IT-dependent, its production will come to a halt. If its warehouse management is IT-based, it will find it virtually impossible to prepare its products for shipping. And if its B2C or B2B sales platform is IT-based, it won’t be able to sell, deliver or invoice.

«Cybercriminals now use an almost limitless number of ways in which to launch their attacks, but the most common is still phishing emails. And there are still many outdated or poorly maintained systems in circulation, which make it easy for cyberattackers to penetrate companies’ firewalls.»

Urs KüderliPartner, Leader Cybersecurity and Privacy, PwC Switzerland

Creativity and professionalism are increasing

Ransomware attacks consist of extortion accompanied by threatened or actual theft and encryption of data, and these have been among the most common in recent months. In addition, large-scale distributed denial of service (DDoS) attacks is used to slow platforms right down or to crash them entirely. 

Cybercriminals and threat actors have professionalised themselves a great deal over the last few years. Their work is now standardised and highly automated. For example, they often know exactly what ransom sum they can demand in a case of extortion so that the company pays rather than accepts the damage and then fixes the gap in its defences.

Obstacles to preparing for combat

Various initiatives have been launched to combat cybercrime comprehensively. The National Cyber Security Centre (NCSC) was established as part of the Swiss Federal Council’s strategy to protect the country against cyberrisks. An initiative was launched at the same time to create an independent seal of quality for IT services. 

Neither the Swiss Federal Act on Data Protection nor the EU’s General Data Protection Regulation (GDPR) currently requires companies to report cyberattacks. However, reporting is required in some sectors – e.g., in the financial world by the Swiss Financial Market Supervisory Authority (FINMA) and in the medical sector by Medicrime MKA (which is committed to detecting and combating fraudulent activities in connection with the online sale of medicinal products).  

With more consistent reporting, the number of unreported attacks could be reduced. Victims could learn from each other and prepare themselves better. In addition to reporting, it is important to immediately collect and use the information that the reports provide in order to combat, prepare, prosecute etc. If there is no counter to cybercrime in every area and at every level, the criminal world will continue to grow and will perfect itself and spread unhindered. 

A cyberattack could cost a company its existence. That makes it even more important that CEOs not only rate the risk as their number one concern, but also take action to mitigate it. That includes appropriately weighting competing priorities. The starting point is to plan and practise for a cyber emergency as carefully and seriously as for a major fire or a pandemic. Crisis planners usually focus on ensuring that data and information are available. In the process, they often lose sight of the need for confidentiality and integrity. Below are six recommendations for a course of action that Swiss CEOs should discuss with their chief information officers and risk managers:

Six recommendations for a course of action

  1. Know the risks and their consequences for the company: identify critical systems and processes and their key risks and formulate scenarios. 
  2. Understand cyberattackers and their methods: identify company-specific vulnerabilities and issues. 
  3. Protect the company and recognise and identify attacks that have occurred: keep IT systems and cybersecurity up to date and personnel aware. 
  4. Plan for cyberattacks as a critical situation: tailor your planning to your particular company. 
  5. Restore operations and cybersecurity: plan and prepare measures along the chain of events.  
  6. Communicate in a targeted manner: define who will disseminate information – and how and when. And when not to disseminate it. 

For more information and to read the full CEO Survey, please click here.

Trust in Transformation

Cyber Threats 2021: A Year in Retrospect

Our annual PwC “Year in Retrospect” report outlines highlights and the most prolific cyber security trends we observed over the past 12 months and explores their wider impact.

Learn more


Building trust to succeed

At PwC, we are a community of solvers – powered by technology – committed to helping you protect everyone, and everything, you care about.

Explore our offering

Contact us

Urs Küderli

Urs Küderli

Partner and Leader Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 42 21