With good training, human beings can become the strongest defence against cyber attacks

With the digitalisation of the economy making such rapid ground and the number of smart devices exploding, new cyber risks are bound to emerge. To protect themselves, companies will have to share information on the nature of any attacks they incur and better train their employees.

Cybersecurity remains a major concern for the majority of companies when they launch new digital projects. According to the ‘PwC 2019 Risk in Review Study’, 51% of those surveyed say cybersecurity is their main concern, ranking far higher than operational or technological risk or confidentiality issues.
This percentage will continue to increase as digitalisation rapidly spreads through the economy. Hand in hand with this development, cyber attacks will multiply at the same speed. Companies will have to step up their efforts if they are to be effectively protected.
Even more so with new cyber risks emerging as companies become more interconnected, but also with the development of smart devices. In fact, it is estimated that by 2020, there will be 200 billion smart devices on Earth:  smartphones, pacemakers, lifts and even toothbrushes.
Cyber risks come in many shapes and sizes, and they are evolving rapidly, with the ones we face today being outdated by tomorrow. They may stem from social engineering, computer viruses or data leakages.   

What are the most acute risks stemming from your organisation’s digital initiatives?

Source: PwC 2019 Global Risk, Internal Audit and Compliance Survey

Some 51% of those surveyed identify cybersecurity as their main concern when launching new digital projects, ranking it far higher than operational or technological risk or confidentiality issues.

It is vital that clients trust digital products and services

Cyber attacks have only one thing in common, and that is that they are ever changing. There’s a new type every year. In 2017, for instance, ransom software such as WannaCry – malware that encrypts personal data and won’t unencrypt it unless a ransom is paid – occupied the headlines. We have recently observed cryptojacking, whereby cryptocurrencies are mined from unwitting Internet users. Every year, people continue to fall victim to CEO Fraud, whereby hackers pass themselves off as CEOs of companies and demand sums of money be transferred. 

The financial and regulatory risk to companies is certainly considerable. To add insult to injury, the new EU General Data Protection Regulation (GDPR) foresees fines of up to 4% of a company’s global revenues. Google recently had to pay several million. However, the risk to a company’s reputation largely outweighs the amount due. It calls a fundamental element into question: the clients’ trust. Image damage is assuming an ever more decisive role. Banks, for their part, have understood the importance of protecting and updating their IT infrastructures. They have some of the highest levels of security. Conversely, some companies want to bring their digital products and services to market ever more quickly, without taking the time to conduct the requisite security checks. But they are vital! Digital transformation within companies must go hand in hand with building clients’ trust in digital products and services. Without that trust, companies may crumble.

Exchanging information is essential

With these possible consequences in mind, companies tend to conceal any attacks they incur. Yet it is precisely by sharing this information and disclosing the modus operandi of cyber attacks with as many people as possible that we may be able to define how they work and limit their reach. Moreover, collaborating with the authorities and sharing as much information as possible about cyber attacks would enable us to foresee future threats. To date, companies have been reluctant to divulge this information. They were embarrassed to do so. It is encouraging to see that the EU, by means of the GDPR, now requires them to report any cyber incidents and that the Swiss Confederation considers such an obligation as part of its national strategy for the protection of Switzerland against cyber risks for 2018 to 2022. This improves everyone’s security. It is therefore a case of changing the mindset at the heart of companies in the interests of the entire economic ecosystem. When a shop or bank is robbed or someone’s home is burgled, victims don’t hesitate to file a complaint and spread the word about their case. We must apply the same approach to cyber attacks. Sharing information is vital. Every company will suffer a cyber attack at some point or other. The question is no longer whether they will be attacked, but rather when. This is why it is so important to train the entire workforce and all managerial staff in cybersecurity, as well as conducting full-scale exercises to prepare security teams and management to react to cyber attacks.

Staff training is essential 

Alongside sharing information, training employees is the other essential element in the fight against cyber attacks. In fact, in this war, the human being is often the weakest link. Technology performs as a bastion, but employees are unable to stop cyber attacks due to a lack of training.  Companies have made huge investments in technology to protect themselves from cyber attacks. They have built ever higher, ever thicker walls. This strategy will fail because employees have not been provided with sufficient training. However, if employees are made sufficiently aware, they become the last bastion. They have what no machine will ever have: intuition. If we are well prepared, we human beings can become the strongest defence against cyber attacks. 

In addition to providing training, if the risk of cyber attacks is to be minimised, it is essential to involve those responsible for security and data protection from the very beginning of any new digitalisation project, which facilitates the anticipation of risks and avoidance of security weaknesses. This, however, is not yet done to a sufficient extent, as is shown in our annual cyber security study The journey to digital trust - Digital Trust Insights October 2018. It compiles responses from 3,000 people around the world. It shows us that companies could do better. In fact, only 54% of those surveyed involve experts from the very beginning. For their part, those tasked with security and data protection must become facilitators and shake off their reputation as naysayers who never give the green light. They too have to evolve.  

A society’s vulnerability is measured by three yardsticks: the people, the technology and the controlling environments. At PwC, we explore companies’ capacity to defend themselves by organising an analysis of pertinent cyber risks, conducting IT system penetration tests and, lastly, conducting phishing campaigns to test employees’ reactions. A company’s cybersecurity is founded upon a well-considered mixture of technology, processes and human skill – none of which may be neglected.