Preventing and responding to social engineering, cyber criminals and ransomware

Johannes Dohren Director Cybersecurity, PwC Switzerland 09 Nov 2020

To prepare to respond to a threat, it helps to know where it’s most likely to come from and in what form. PwC’s Digital Trust Insights 2021 survey finds that Swiss organisations, more than those in other countries, believe that threats such as social engineering, cyber criminals and ransomware are imminent – and that when they materialise they will have a serious impact. But are they investing in the right capabilities in the right places to respond when such incidents occur?

Companies in Switzerland are more afraid than average of imminent cyber-threats in the guise of social engineering, ransomware breaches and disruptionware attacks on critical business services. This is one of the striking findings of PwC’s Digital Trust Insights 2021 survey. Swiss fears of social engineering are particularly serious compared with the global and Western European averages, with 79% of respondents in Switzerland (versus 63% of the global sample and 61% in Western Europe) rating the likelihood that social engineering will affect their industry in the next year as somewhat or very likely. 

Q - In your view, what is: (a) the likelihood that these threat vectors are going to affect your industry in the next 12 months, and (b) the extent of impact, if it were to happen, on your organisation?

The figures for events such attacks on cloud services, ransomware and disruptionware are similar, if not quite as pronounced. Not only do companies believe these events are imminent; they also predict that the impact on their own organisation would be severe: 73% of the Swiss sample said that the impact of a social engineering-based attack would be negative or significantly.  

Q - In your view, what is: (a) the likelihood of these events occurring in your industry in the next 12 months, and (b) the extent of impact, if it were to happen, on your organisation?

Fears justified by the facts?

The heightened awareness of these specific risks – and the fear of severe impact – are probably justified given the sharp increase in cyber-attacks recently seen in Switzerland. This has included a number of major incidents, with big names such as AMAG, Stadler and Swatch all hitting the headlines this year. With Covid-19 dramatically increasing reliance on digital networking, these incidents are not likely to get any less frequent.

Fear is good if it motivates you to take action rather than simply paralysing you. So what are companies in this country doing to address these threats? One of the questions put to survey participants was how much progress they thought their organisation had made in cybersecurity in the past three years. Interestingly, Swiss companies were considerably less likely (around 10 percentage points behind the global average) to report advances in terms of increased prevention of successful attacks and faster response times to incidents and disruptions. This could simply mean that Swiss managers are underplaying their own achievements; but it could equally indicate that there’s catch-up potential in these areas. 

Prevention and response top priorities

One important survey finding suggest that the latter is the case: that Swiss companies see the shortfall and are planning steps to address it. When asked what they will be focused on in the next three years in terms of the changes they’ll be making in cyber strategy, people, and investments, Swiss respondents ranked increased prevention of successful attacks and faster response times to incidents and disruptions at one and two respectively. These are smart priorities in the current risk landscape.

Tech not the only skill required

But what is the best thing to do to prevent and respond to the type of incidents we’re talking about? Think about the nature of threats such as social engineering, cyber criminals and ransomware. They’re highly complex, involving psychology as much as they do technology; they’re about tricking humans as well as outwitting digital systems. Preventing them, and responding rapidly if they do occur, means not just knowing a company’s IT set-up, but also having a grasp of how people within it think and interact − not to mention the whole legal and data privacy environment within which the organisation operates. If you’re familiar with all these factors, as well as with the mindset of the bad actors, you have a greater chance of predicting and preventing incidents and responding effectively if they do occur. 

Indeed, the survey suggests that Swiss companies are aware that cybersecurity involves human skills as well as technology. While the percentage of Swiss companies that are already reaping the benefits of improving their security function’s skill set lags the overall sample, the figure for those that have implemented measures in this area is in line with the rest of the world, and – best of all – the share of Swiss respondents that are at the stage of having started implementing measures to boost their security skills is considerably higher that the global and Western European samples. Improving the skills of the security function is also right at the top of Swiss companies’ list of priorities.

The figures for events such attacks on cloud services, ransomware and disruptionware are similar, if not quite as pronounced. Not only do companies believe these events are imminent; they also predict that the impact on their own organisation would be severe: 73% of the Swiss sample said that the impact of a social engineering-based attack would be negative or significantly.  

Ransomware white paper

How to respond to the growing threat of human-operated ransomware attacks.

Read it here

Are companies going the right way about it?

But what does it actually mean for a company to improve the skills of its security function? Does it involve building in-house capabilities? Or are there alternatives that might make more sense for many organisations?

As we’ve seen, the kind of cyber-attacks companies fear most are incredibly complex. Preparing for incidents and then responding to and recovering from them if they do happen requires a tremendous breadth and depth of expertise. It also requires having sufficient capacity to be able to drop everything if a breach does occur and stage a response covering areas from IT to legal, data privacy and crisis management. Many companies may not be willing or able to devote in-house resources to all these areas. While this might be possible for large organisations, even then they may choose not to do so on the basis that it’s more efficient and effective to bring in outside help when it’s needed. 

To summarise: ever considered an incident response retainer?

Just as companies retain legal counsel, an increasing number are choosing to outsource incident response to dedicated providers. This doesn’t mean settling for a one-size-fits-all solution; on the contrary, an external incident response provider will invest a great deal of effort and expert attention in getting to know your set-up and its inherent weaknesses and vulnerabilities as a basis for a) preventing incidents from happening in the first place and b) responding if a breach does occur. And when it does, they’ll be able to activate a rapid, comprehensive response that can dramatically reduce the impact and preserve your company’s reputation, operations and bottom line.

You have some questions? 

Reach out to us

 

 

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Contact us

Johannes Dohren

Johannes Dohren

Director Cybersecurity, PwC Switzerland

Tel: +41 58 792 22 20