2021 is already shaping up to be one of the worst years on record for cybersecurity. Ever more sophisticated attackers are plumbing the dark corners of our systems and networks, seeking — and finding — vulnerabilities. The consequences for an attack rise as our systems’ interdependencies are becoming increasingly complex. Critical infrastructures are especially vulnerable. And yet, many of the breaches we’re seeing are still preventable with sound cyber practices and strong controls.
The PwC study “2022 Global Digital Trust Insights” is a survey of 3,602 business, technology, and security executives across the globe, and it shows that companies may be overlooking the riskiest cyber threats of all: those originating from third parties and enabled by the complexity of their organisations.
The survey provides deep and detailed insights on cyber developments, trends, and threats companies are facing in an increasingly complex and interconnected business world and, at the same time, serves as both an analysis and practical guide for your own cyber security strategy. It also shows what differentiates the leaders in cybersecurity from the laggards.
Cyber certainly has got CEOs’ attention, but are they taking action? Our findings from the 2022 Global Digital Trust Insights Survey suggest an “expectations gap” for cyber, with CEOs perceiving that they are more involved in and supportive of setting and achieving cyber goals than their teams do. A persistent gap can spell disaster if it instills a false sense of security company-wide, given the CEO’s leading role in defining an organisation’s culture. Cybersecurity is not about technology only, it’s a mindset. And this mindset and culture must be enabled from the top.
While CEOs surveyed in Switzerland believe that they make a significant contribution to cybersecurity in their company, only three out of ten non-CEOs agree with this statement. And while 30% of respondents globally state that their CEO embeds cyber and privacy in key operations and decisions of the organisation, only 16% say so in Switzerland.
In an overly complex organisation, it’s common for the left hand not to know what the right hand is doing — and the consequences for cybersecurity and privacy can be dire. Businesses know the risks of complexity, yet only 35% of our respondents have streamlined their operations and a quarter say they’ve done nothing at all or are just getting started. But a shift appears to be underway.
Nearly three quarters of all respondents say their companies are too complex and that the complexity of their organisation poses “concerning” cyber and privacy risks. Data infrastructure (77%) ranked highest among the areas of unnecessary and avoidable complexity. For Switzerland, this figure stands at 86%. However, Swiss executives are less worried about financial losses due to complexity compared to their global peers.
Data is the asset attackers covet most. Companies can minimise that risk by minimising the target. But only 35% of respondents have mapped all their data, meaning they know where it comes from and where it goes. And only about a third report having mature, fully implemented data-trust processes. Organisations should govern, discover, and protect only the data they need — and eliminate the rest. Low-value data not only creates unnecessary risk, it also crowds out or buries high-value data.
When making decisions about cyber investments and responding to cyber risks, Swiss respondents very often say that they have not integrated analytics and business tools into their operating model. For example, real-time threat intelligence is only integral to 18% of respondents for smart cybersecurity decisions – compared to 30% globally. Threat modeling, scenario building, and predictive analysis seem to be barely unused technologies in Switzerland (8% vs. 26% globally).
You can’t secure what you can’t see, and most respondents to the PwC 2022 Global Digital Trust Insights Survey seem to have trouble seeing their third-party risks — risks obscured by the complexities of their business partnerships and vendor/supplier networks. 60% of CEOs and other C-suite executives have less than a thorough understanding of the risk of data breaches through third parties, while 20% have little or no understanding of these risks at all – a major blind spot of which cyber attackers are well aware and willing to exploit.
Among all respondents, 56% expect an increase in reportable incidents in 2022 from attacks on the software supply chain, but only 34% have formally assessed their enterprise’s exposure to this risk. In Switzerland, the situation is even more alarming. 35% of Swiss executives say they have little or no understanding about cloud risks and technology vendors risk (compared to 21% and 24% respectively at global level). But Swiss companies lead the way in minimising third-party or supplier risks by simplifying the supply chain and conducting more rigorous due diligence.
As part of the 2022 Global Digital Trust Insights Survey, PwC interviewed Swiss Re’s Chief Security Officer Philipp Krayenbuehl. In a talk with Urs Küderli, Partner and Leader Cybersecurity and Privacy, PwC Switzerland, he explains the importance of security experts being close to the business from the beginning of each project.
Strategists and technologists have touted the potential of digital business models to boost business 10x — a Holy Grail promise of exponential returns on digital investments. Likewise, the Survey reveals how simplifying business processes and operations can have a “multiplier” effect on security and privacy.
Here are the four Ps to realising your full cyber potential, as exemplified by most advanced and most improved organisations, who employ them all.
Principle. The CEO must articulate an explicit, unambiguous foundational principle establishing security and privacy as a business imperative.
People. Hire the right leader, and let CISO and security teams connect with the business teams. Your people can be vanguards of simplification even as you build “good complexity” in the business.
Prioritisation. Your risks continually change as your digital ambitions rise. Use data and intelligence to measure your risks continually, as well.
Perception. You can’t secure what you can’t see. Uncover blind spots in your relationships and supply chains.
Do you want to learn more about cyber risks and how risk handling benefits your organisation? Download the PwC 2022 Global Digital Trust Insights here.
The 2022 Global Digital Trust Insights is a survey of 3,602 business, technology, and security executives (CEOs, corporate directors, CFOs, CISOs, CIOs, and C-Suite officers) conducted in July and August 2021. Female executives make up 33% of the sample.
Sixty-two percent of respondents are executives in large companies ($1 billion and above in revenues); 33% are in companies with $10 billion or more in revenues.
Respondents operate in a range of industries: Tech, media, telecom (23%), Industrial manufacturing (22%), Financial services (20%), Retail and consumer markets (16%), Energy, utilities, and resources (8%), Health (7%), and Government and public services (3%).
Respondents are based in various regions: Western Europe (33%), North America (26%), Asia Pacific (18 %), Latin America (10 %), Eastern Europe (4%), Middle East (4%), and Africa (4%).
The Global Digital Trust Insights Survey is formally known as the Global State of Information Security Survey (GSISS).
PwC Research, PwC’s global Centre of Excellence for market research and insight, conducted this survey.