Driven by events no one could have foreseen, leaders in recent years have pushed their companies and themselves beyond their comfort zone: out of the office to remote workplaces; into the cloud; along chains of supply that are nearly completely digital. And with each new venture, new cyber risks have emerged.
Our findings from our 2023 Global Digital Trust Insights survey – reflecting the views of over 3,500 business, security and IT leaders across industries in more than 60 countries – show that cybersecurity has become a dynamic field that is rapidly adjusting and changing to keep pace with business ingenuity.
CISOs are seizing the initiative and getting the green light to truly lead – stepping out of their role as independent cyber specialists and becoming partners, working not just with a few executives, but with the entire C-suite and Board. This collaboration has never been more important.
The good news first: CISOs and cyber teams have risen to the challenge, and other C-suite executives have joined forces with them. More than 70% of respondents observed improvements in cybersecurity in the past year.
But with ever more connected systems and exponentially more data — and ever more organised adversaries – cyber risks are increasing, and business leaders have much more work to do. And this in a difficult economic and business environment.
Fewer than 40% of respondents say they have fully mitigated the risks their bold moves incurred since 2020. Remote work and the move to the cloud have commanded the most attention on a global level, with larger organisations (more than $1 billion in revenues) and those based in North America far more likely to say they have mitigated these risks.
Switzerland is lagging behind, especially in terms of cloud adoption and the risks associated with the increasing use of the Internet of Things (IoT). While 84% of respondents worldwide say they have accelerated cloud adoption, this figure is only 71% in Switzerland. The difference is even greater when it comes to mitigating cyber risks related to the IoT: 79% globally, but only 49% in Switzerland reported significant progress. With regard to cyber risks associated with entering new markets, only half of Swiss respondents have fully or moderately mitigated them, while globally 79% have done so.
The overall level of agreement that companies have fully or moderately mitigated their risks in the report is surprising. Swiss organisations consistently rate their capabilities lower, which is in my opinion more realistic. While most organisations increased spendings and are investing into resilience, fact is, that still many risks have not yet been addressed adequately. The continuous increase of successful attacks with massive business disruption is one of the indicators.
No wonder, that senior executives in Switzerland worry that their enterprise isn’t fully prepared to address heightened threats. 73% of Swiss executives consider cyber criminals to be the biggest threat to their organisation in 2023; globally, “only” 65% share this assessment. On the other hand, competitors are not seen as much of a threat in Switzerland as they are at the global level.
The 2023 Global Digital Trust Insights survey also provided insights into the attackers’ routes: while mobile devices (41%), email (40%), cloud-based pathways (38%), web applications (37%), and insider or social engineering (37%) are at the top of the international ranking, Swiss respondents see the danger of attack differently. They consider email (66%), people (47%), and web applications (44%) as the most likely entry points for cybercriminals. The big difference in evaluating the potential danger of emails is probably due, among other things, to lower cloud adoption rates – Swiss companies still send documents by email frequently.
There are also differences in the threat assessment depending on the size of the enterprise. Larger organisations are significantly more likely to be affected by attacks via the software supply chain (35%), cloud-based pathways (43%), and operational technology (29%) than smaller ones.
The fact that companies cite cyber criminals as the biggest threat to their organisation matches with our observations. However, it is somewhat surprising to us that in terms of gateways for cyber-attacks email is rated so low, i.e., at 40% globally. While other factors are definitely important as well, looking at successful attacks, email is still the number one entry point in all attacks we see. Not a surprise is the raising concern about third-party supply chain and software risks, as we have seen a significant increase of such attacks in 2022. Also the understanding and integration of OT into security management is still in its infancy and many risks are not yet well understood or addressed. IT/OT convergence is only just emerging in many organisations. In addition, a special focus on OT in critical infrastructure is necessary, also in Switzerland.
As attack scenarios in the digital space are becoming more complex and better organised, companies must prepare for the fact that cybercriminals are getting ever more structured. They increasingly use off-the-shelf tools and can perpetrate and orchestrate a variety of attacks. Ransomware attacks continued to be the biggest threat to corporate cybersecurity in the last year – across all regions and industries. What does the future bring?
One-third of executives worldwide expect the number of business email compromises and account takeovers, ransomware, and attacks against cloud management interfaces to increase between 2022 and 2023. Swiss respondents are particularly concerned about ransomware attacks, with more than half of the respondents expecting an increase in ransomware-related cyber incidents.
In terms of security, third-party breaches and supply chain attacks are another key issue; cybercriminals looking to target large companies or disrupt critical infrastructure are increasingly trying to do so by compromising suppliers first.
It’s correlating with the results on ‘pathways to attack’, however, we see various events that are used in the ‘normal’ journey of a ransomware attack, others are additional or parallel threats. However, the difference in the assessment of ransomware globally and in Switzerland is quite interesting. Especially as the number of ransomware events increased again in the first nine months of 2022, both globally and at Swiss level. An additional interesting difference is the fear of cloud attacks, which is higher in Switzerland. This assessment might have an impact on cloud migration projects or explain why cloud adoption is lagging in Switzerland.
46% of CEOs want to empower the CISO to collaborate with the C-Suite on security next year. Good reporting and visibility on cyber are key to successful collaboration, which is critical in security. And the CEO and the board play a pivotal role in launching and improving security programmes. While at global level the involvement of the board ranks first and the CEO second when it comes to addressing stakeholders, in Switzerland the CEO comes first.
And how about organisations’ ability to disclose cyber practices, strategy, and incidents externally? Just over four-fifths of respondents globally and in Switzerland say their organisation can provide the required information about a material or significant incident within the required reporting period after the incident. Swiss executives are on average less confident than their international peers, especially when it comes to third-party cyber risk management disclosure.
Disclosure benefits everyone, and companies can learn from the attacks on other companies. Four-fifths of organisations globally agree that mandatory disclosure of cyber incidents, with comparable and consistent formats, is necessary to gain stakeholder confidence and trust – in Switzerland it is only two-thirds.
Swiss companies indicate that they would like more clarity on disclosure practices. They do not see a higher disclosure requirement – compared to global and European competitors – as a competitive disadvantage, and they are willing to share information with law enforcement authorities.
Unlike abroad, there is no clear trend in the answers of the Swiss representatives, that companies would like to see legislative changes regarding the obligation to report security incidents. The study we produced for the Swiss government concerning mandatory security reporting showed the same split picture. Why? What has proven successful abroad is not necessarily directly applicable to Switzerland. In contrast to other countries, where business and government find it difficult to meet at the same table because of the principle of legality and therefore rarely exchange information voluntarily, in Switzerland the public-private partnership has proven itself over many years. Also the reporting alone would not be enough – a concept of how information is effectively shared would be necessary to increase awareness and resilience.
“Despite all the progress that organisations have made in improving their cybersecurity programmes, obviously the journey does not end. Increasing resilience against cyber attacks has also a lot to do with training and improving. That said, investments alone are not sufficient, a continuous ‘implement, train, refine and adapt’ mentality is necessary. New topics are arising constantly, supply chain and IoT/OT are the next challenges to address and solve.”
The C-suite playbook on cybersecurity and privacy, featuring our latest survey, Global Digital Trust Insights, highlights what lies ahead in 2023 and how executives can work together for a cyber-ready future.
The 2023 Global Digital Trust Insights is a survey of 3,522 business, technology, and security executives (CEOs, corporate directors, CFOs, CISOs, CIOs, and C-Suite officers) conducted in July and August 2022. Female executives make up 31% of the sample.
Fifty-two percent of respondents are executives in large companies ($1 billion and above in revenues); 16% are in companies with $10 billion or more in revenues.
Respondents operate in a range of industries: Industrial manufacturing (24%), Tech, media, telecom (21%), Financial services (20%), Retail and consumer markets (18%), Energy, utilities, and resources (9%), Health (5%), and Government and public services (3%).
Respondents are based in various regions: Western Europe (31%), North America (28%), Asia Pacific (18%), Latin America (12%), Eastern Europe (5%), Africa (4%), and Middle East (3%).
The Global Digital Trust Insights Survey is formerly known as the Global State of Information Security Survey (GSISS).
PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.