Cybersecurity: Protection is good, strengthening defences is better
Swiss CEOs place cyber-risks second (43 %) on the list of potential threats to their companies’ growth prospects. This contrasts with only 26 % (third place) in last year’s survey. There are multifaceted reasons for this spike in the level of concern: Swiss companies have plainly underestimated cyber-threats. Numerous incidents were reported in the media in 2020 – some even detailing the costs resulting from a cyber-attack. That put the issue more firmly on the radar of executives. The pandemic has additionally increased the urgency of this topic. Indeed, with the outbreak of COVID-19 and the broad-based activation of home-based workstations, companies have been forced to adapt their IT to new work models and forms of collaboration. They have had to roll out new platforms and applications, re-orchestrate portions of the hardware landscape, migrate to the cloud or build new interfaces. As a result of homeworking and telecommuting, processes have become more vulnerable, while surveillance and monitoring mechanisms have simultaneously grown more challenging. This has led to gaps and loopholes, which in turn has presented additional opportunities for criminals and threat actors. Last but not least, cyber criminals have become more and more professional over the past few months. Accordingly, companies that were previously believed to be immune to cyber risk have suddenly ended up in the firing line.
Of the Swiss CEOs polled, 93 % express general concern about cyber-threats (see Figure 1). Business leaders in the rest of the world are slightly less concerned in this regard (85 %). Firstly, Swiss companies traditionally have a high level of security awareness. Secondly, data protection and safeguarding personal rights are given high priority in Switzerland. Anyone who considers both these things to be part and parcel of cybersecurity will become alarmed if they are called into question. Nevertheless, Swiss companies have so far underestimated the risk of cyber-threats. Thirdly, in a small country like Switzerland, C-level executives regularly exchange information with one another. Anyone who obtains first-hand information of an incident automatically becomes concerned. Fourthly, even prior to COVID-19, Switzerland had serious shortcomings when it came to digitalisation as compared with its neighbouring countries – in the adoption of cloud services, for instance. As the pandemic gave digitalization an unprecedented boost, hypersensitivity to this issue developed at the same time.
Figure 1: The level of general concern on the part of Swiss CEOs about cyber-threats is extremely high.
It’s not just virologists who talk about resilience, but also cyber experts. Resilience denotes a company’s ability to withstand cyber-attacks. Resilience is the result of a closed circuit consisting of threat identification, suitable protection measures, monitoring controls (detection), crisis response capability and the ability to manage a cyber incident so as to emerge from it ultimately stronger. Companies can continuously strengthen their cyber resilience by means of regular training and simulations. Swiss companies continue to struggle, particularly in their efforts to detect cyber-attacks. They have traditionally invested heavily in protection. The damage in a cyber-attack is not immediate and, in most cases, occurs gradually. Recognising the signs early gives the preventive side of a company’s cyber resilience more momentum. This also forms the basis for being able to respond to a cyber-attack, even during the COVID-19 crisis. Thanks to their security precautions, companies have previously recorded little, if any, large-scale cyber-related damage, such as the kind of total failure of IT systems due to cyber-attack we’ve increasingly observed increasingly of late. They have planned and played out scenarios such as a regional power failure, a fire in the server room or possibly even a complete data centre shutdown. What they have not played out, however, is a scenario in which the entire IT infrastructure is encrypted, making access to both data and back-up information impossible.
«Companies should integrate the transformation of their security structures more closely with that of their business.»
Of the Swiss CEOs polled, 46 % feel that their organisation should take more effective action in the areas of cybersecurity and data protection. The global figure is 36 %. That said, 77 % of the Swiss survey participants indicate that they plan to step up their longterm investments in cybersecurity and data protection as a consequence of the COVID-19 crisis. This is slightly higher than the global figure. Given the current security maturity of companies, however, it should really be closer to 100 %. In terms of crisis planning, in particular, significant differences can be seen in Switzerland. Countless individual programme elements exist, yet rarely an overall strategy. The pandemic and associated digitalisation have driven the transformation of companies and their processes; however, security approaches have not been transformed in step, if at all. To achieve this, companies will have to strengthen the connection between their security organization and the business.
Of the Swiss CEOs participating in the survey, 84 % use risk management to address cyber-threats. The figure for the global sample is only 59 %. This reflects the fact that in Switzerland some industries – financial service providers, for example – are heavily regulated. For them, cyber-threats are, by law, part of day-to-day risk management. Of the Swiss CEOs polled 25 % responded ‘yes’ to the question of whether their company should expand its reporting in the areas of cybersecurity and data protection – only 2 percentage points more than their colleagues worldwide. With respect to disclosure, decision-makers apparently do not see any need for action.
Of the Swiss CEOs surveyed 59 % express concern about misinformation. This suggests that the number of unreported cases and their degree of seriousness continue to remain high. It might also be an indication of CEOs’ concern about cyber criminals intercepting and falsifying information, either impairing business performance or resulting in costly errors. In cyber-savvy companies, chief information security officers (CISOs) regularly brief decision-makers on what threats, risks, actors and types of attacks are business critical and what measures should be taken to improve the company’s security maturity.
111 Swiss CEOs gave answers on how they are dealing with the effects of COVID-19. Read our Swiss report focusing on Growth, Upskilling, Sustainability and Cybersecurity.
Partner and Leader Cybersecurity and Privacy, PwC Switzerland
Tel: +41 58 792 42 21