Cyber risks lead the concern barometer again in this year's CEO Survey and were cited by 100% of respondents (global: 96%). Firstly, reports of cyber attacks are ubiquitous in the media. Secondly, a keener understanding of cyber attacks and their consequences has recently evolved. Many managers know people who have been affected in their professional network. 82% believe a cyber attack could make it impossible to sell products or services (global: 59%). Ultimately, the highly professionalised attackers target IT-based, business-critical processes such as sales, marketing, distribution or public relations – for example using extortion (ransomware).
We hear about new cyberattacks almost every week. In 2020, 20,544 cases of cybercrime were reported in Switzerland, and 16,395 of these were classified as cyberfraud. Medium-sized Swiss companies suffer average damage of about CHF 6 million per cyberattack. However, the amount of damage is increasing rapidly. When the entire IT infrastructure gets encrypted, the average is over CHF 100 million. And the number of unreported cases is a lot higher, because most cases are still not reported. To put this in proportion, a Swiss company suffers ransomware attacks every 11 seconds on average. All companies are potential targets, irrespective of size or "importance" - around one-third of all SMEs have been already victims of cybercrime. Today, this threat mainly affects companies that have not been on the cybercriminals' radar, which means they're unprepared.
Cybersecurity is the threat that the CEOs in our survey are most worried about – all of them named it – and this is not only because hacking is mentioned so frequently in the media. People have gained a deeper understanding of cyberattacks and their consequences during the last two years. A lot of managers know people from their own professional networks who have been affected. However, most managers still have little idea how to counter the threat or where investments would achieve the fastest and best results. CEOs know how long it can take to close gaps in their companies’ defences that date from the past. There is no solution giving 100% protection, but most importantly: having sufficient resilience in the event of a cyberattack does not equate to having good security. How to seamlessly manage a cyber incident must be planned for, implemented and rehearsed. Security requirements must be adapted to the threat, and the corresponding technical and personnel resources must be available.
83% of the CEOs in our survey say they believe that cyberrisks could damage their companies’ sales, marketing, distribution and public relations. This is understandable. Today’s cyberattackers try to cripple companies by shutting their IT systems down completely – and this causes their business-critical processes to fail. So, if a company’s production processes are IT-dependent, its production will come to a halt. If its warehouse management is IT-based, it will find it virtually impossible to prepare its products for shipping. And if its B2C or B2B sales platform is IT-based, it won’t be able to sell, deliver or invoice.
«Cybercriminals now use an almost limitless number of ways in which to launch their attacks, but the most common is still phishing emails. And there are still many outdated or poorly maintained systems in circulation, which make it easy for cyberattackers to penetrate companies’ firewalls.»
Ransomware attacks consist of extortion accompanied by threatened or actual theft and encryption of data, and these have been among the most common in recent months. In addition, large-scale distributed denial of service (DDoS) attacks is used to slow platforms right down or to crash them entirely.
Cybercriminals and threat actors have professionalised themselves a great deal over the last few years. Their work is now standardised and highly automated. For example, they often know exactly what ransom sum they can demand in a case of extortion so that the company pays rather than accepts the damage and then fixes the gap in its defences.
Various initiatives have been launched to combat cybercrime comprehensively. The National Cyber Security Centre (NCSC) was established as part of the Swiss Federal Council’s strategy to protect the country against cyberrisks. An initiative was launched at the same time to create an independent seal of quality for IT services.
Neither the Swiss Federal Act on Data Protection nor the EU’s General Data Protection Regulation (GDPR) currently requires companies to report cyberattacks. However, reporting is required in some sectors – e.g., in the financial world by the Swiss Financial Market Supervisory Authority (FINMA) and in the medical sector by Medicrime MKA (which is committed to detecting and combating fraudulent activities in connection with the online sale of medicinal products).
With more consistent reporting, the number of unreported attacks could be reduced. Victims could learn from each other and prepare themselves better. In addition to reporting, it is important to immediately collect and use the information that the reports provide in order to combat, prepare, prosecute etc. If there is no counter to cybercrime in every area and at every level, the criminal world will continue to grow and will perfect itself and spread unhindered.
A cyberattack could cost a company its existence. That makes it even more important that CEOs not only rate the risk as their number one concern, but also take action to mitigate it. That includes appropriately weighting competing priorities. The starting point is to plan and practise for a cyber emergency as carefully and seriously as for a major fire or a pandemic. Crisis planners usually focus on ensuring that data and information are available. In the process, they often lose sight of the need for confidentiality and integrity. Below are six recommendations for a course of action that Swiss CEOs should discuss with their chief information officers and risk managers:
For more information and to read the full CEO Survey, please click here.
Our annual PwC “Year in Retrospect” report outlines highlights and the most prolific cyber security trends we observed over the past 12 months and explores their wider impact.
At PwC, we are a community of solvers – powered by technology – committed to helping you protect everyone, and everything, you care about.