The 22nd PwC CEO Survey reveals: Swiss companies recognise the importance of technological progress and digitalisation, and they realise that data protection entails considerable challenges. They are fully aware of the threat of cyber risks, yet, still lack the necessary drive to heighten their cyber resilience.
The respondents to the survey – more than 1,350 top managers from over 90 countries – voiced their opinions on digitalisation and topics associated with it, such as data protection and cyber resilience. A total of 93 per cent of the leaders of Swiss enterprises report technological progress to be one of the three main drivers for their business activities (figure 1). Progress entails challenges, including in the context of data protection and cyber criminality. It is time for Swiss enterprises to take the appropriate steps.
Opportunities and dangers of digitalisation
The Swiss CEO respondents to the survey are in no doubt: digitalisation is key when it comes to positioning their businesses in an internationally competitive market, and it is crucial for Switzerland as an economic hub. Digitally-transformed companies profit from software robots that automate repetitive business processes, the optimisation of the service and product portfolio by means of intelligent data analysis tools, or the steering of marketing activities via multiple communication channels, to mention just a few.
Figure 1: Ranking of the global trends that have been most influential in the business environment over the last five years.
Digital transformation may therefore result in significant competitive advantages. In a nutshell, the digital transformation of your company is not an option; it is simply a must if you want to prevail in the market of the future, irrespective of company size or industry.
Of the Swiss CEOs who responded to the survey, 63 per cent expressed their concerns with respect to technological change. Many challenges, particularly those concerning data protection, are intertwined with digital transformation processes. These include protection against increasingly complex cyber attacks, the shortage of IT security specialists and the modest budgets allocated to IT.
Increasingly complex cyber attacks
Swiss CEOs are conscious of the balancing act between digital openness and shielding yourself off from cyber threats. Figure 2 shows that 80 per cent state that they are subject to geopolitical cyber activities; globally the figure is at 72 per cent. In an international comparison, Swiss CEOs thus reveal a clearly heightened risk awareness with respect to cyber topics.
Figure 2: Assessment of potential impairment by geopolitical cyber-activities.
One reason that may account for this fact is the intense media coverage of alleged cyber attacks on Swiss enterprises. Take perhaps the media coverage of the alleged cyber attack on RUAG, the Swiss weapons solution specialist, in 2016; investigations unearthed no results after more than two years, the case was finally closed.
Attacks that are orchestrated by governmental and other groups or individuals are problematic as they rely on an increasingly sophisticated ecosystem of tools. In the past, hacker groups like 'The Shadow Brokers' have robbed intelligence services of parts of such a system and made it go viral. In this way, criminal organisations and hackers – not all of them skilled – got their hands on highly effective tools, some of which were developed by NSA. The elaborate attacks on IT systems are either executed by means of technical hacks or via personal and targeted psychological manipulation, also referred to as 'social engineering'.
The Reporting and Analysis Centre for Information Assurance (MELANI) of the Swiss Federal Administration as well as the annual analyses of Swisscom or Switch can deliver a first overview of the current cyber threats.
Cyber attacks present regulatory, financial and operational risks to companies. Increased digital interconnection makes customers, employees or suppliers prone to data theft. This may result in a devastating loss of trust and reputation, and be an added reason why Swiss CEOs display a heightened sense of awareness for cyber attacks.
CEOs are completely aware of this discrepancy: for the year 2019 they have identified cyber attacks as one of the five main threats on a global level (figure 3). This puts cyber threats in a prominent place in the top ten list of possible threats, higher up than geopolitical instability, protectionism and terrorism.
Figure 3: Top ten 2019 growth threats
Increase your cyber resilience in five steps
Cyber resilience denotes a company’s hardiness and array of preventive and reactive measures against cyber threats, and should thus be made a part of any company's DNA as a matter of urgency. Having said that, as little as 60 per cent of the Swiss CEO respondents consider their businesses to be cyber-resistant. Globally, the figure is at 75 per cent. However, experience teaches us that this figure is decidedly too optimistic (figure 4). Swiss companies tend to have insufficient protective mechanisms and reactive measures in place, despite their risk awareness for cyber threats. Cost concerns often result in hesitant improvements.
Figure 4: Assessment of cyber resilience
Companies need to be able to identify cyber incidents rapidly, with action plans that ensure a structured and effective procedure in the case of a cyber incident. Pre-defined procedures make sure that a cyber incident can be fed into a contingency scheme, should the situation require it. Roles and responsibilities have to be assigned clearly to tackle pre-defined tasks efficiently and productively even in times of duress.
Cyber resilience is categorised into five cyclical phases according to the ICT minimum standard of the Federal Office for National Economic Supply (FONES) and based on the global standards of the National Institute of Standards and Technology (NIST):
- Identify: Cyber resilience is based on strategic guidelines that include an inventory of databases, systems and appliances as well as an assessment of their criticality. Clear governance pins down responsibilities, while risk management embraces detailed processing steps with the aim of identifying, assessing and containing cyber risks.
- Protect: This phase tests and establishes solutions to avoid cyber threats. This involves a role-based time management with a tight administration of access rights, security solutions with recovery functions, or awareness trainings for staff. In all this, the protection of sensitive data remains the top priority.
- Detect: A mixture of technical tools, technically competent employees and defined processes as well as active surveillance of security-relevant information and a warning system against cyber threats all guarantee rapid detection of anomalies and incidents.
- Respond: In the event of a security incident, a company must react swiftly and with precision so as to avoid the loss of data and an ensuing financial and reputational damage. This phase comprises e.g. the isolation of affected networks and users, the error correction, the patching of firmware, operating system, applications, drivers and hardware, as well as the corresponding crisis communication. To contain the damage, responsibilities and processes must be clearly defined in this phase, too.
- Remediate: Systems and data that have been compromised by an attack must be remediated as quickly as possible. A remediation strategy is imperative in order to minimise the impact on daily business operations. It defines the usage of verification tools for recovery, the process of evidence collection and the validation of backup integrity.
Cyber resilience is a cyclical process. An attack is analysed retrospectively, and the insights gathered are fed into the actualisation of the strategic guidelines for cyber resilience.
Figure 5: The cyber resilience cycle
Increase your cyber resilience with PwC
Despite the fact that cyber threats are real, cyber resilience has not yet been sufficiently integrated into company strategy and structure. Weighing a cyber security investment against the extent of an attack and the ramifications suffered by a company is certainly difficult, which may explain why the necessary protective measures are often not enacted.
We are observing the following trend: IT security infrastructures are being outsourced in favour of more cyber risk insurance contracts. This externalisation, however, does not relocate responsibility, it simply remains with the company. For this reason, companies must enact suitable measures and enter partnerships to at least fulfil the regulatory requirements in connection with cyber resilience and data protection. Personal data in particular needs to be protected adequately according to the Swiss and EU regulation on data protection. Business data and trade secrets allow for a risk-based protective approach.
Companies therefore have to build and extend their resilience against threats and attacks. A systematic analysis of their abilities as well as their transparency with reference to the data that needs protecting certainly makes for a good start to increase the maturity of companies’ resilience. Please see the checklist of the FONES.
PwC has developed a questionnaire based on this checklist: www.pwc.ch/care. It allows for an individual overview of the cyber risks in your company. The pinpointed weaknesses can build the basis for decision-making when it comes to improving your cyber resilience.