Organizations failing to prepare effectively for cyberattacks: PwC

Disruption of operations is the biggest consequence of a cyberattack, followed closely by the compromise of sensitive data, according to a new survey from professional services company PwC.

The 2018 Global State of Information Security Survey (GSISS), released late last week, is based on responses of more than 9,500 senior business and technology executives from 122 countries, including those in North America (38%), Europe (29%), Asia Pacific (18%), South America (14%) and the Middle East and Africa (1%).

The survey found that disruption of operations was the biggest consequence of a cyberattack (cited by 40% of respondents), followed by the compromise of sensitive data (39%), harm to product quality (32%) and harm to human life (22%).

As well, 44% of those polled said that they do not have an overall information security strategy, 48% do not have an employee security awareness training programme and 54% don’t have an incident-response process, PwC said in a press release. When cyberattacks occur, most victimized companies say they cannot clearly identify the culprits – only 39% of survey respondents say they are very confident in their attribution capabilities.

PwC added that the soaring production of insecure Internet of Things (IoT) devices is creating widespread cybersecurity vulnerabilities. Rising threats to data integrity could undermine trusted systems and cause physical harm by damaging critical infrastructure. Meanwhile, there is a wide disparity in cybersecurity preparedness among countries around the world. In the 2018 GSISS, the frequency of organizations possessing an overall cybersecurity strategy is particularly high in Japan (72%), where cyberattacks are seen as the leading national security threat, and Malaysia (74%).

And high preparedness does not necessarily mean low risk, the report noted. For example, the UN’s 2017 Global Cybersecurity Index ranked the United States among the member states most committed to cybersecurity, second only to Singapore. But U.S. infrastructure is still vunernable to what the World Economic Forum deems the No. 1 business risk in North America: “large-scale cyberattacks or malware causing large economic damages, geopolitical tensions or widespread trust in the Internet. According to the report, the U.S. Department of Homeland Security has identified more than 60 entities in national critical infrastructure where damage, caused by a single cyber incident, could reasonably result in US$50 billion in economic damages, or 2,500 immediate deaths, or a severe degradation of U.S. national defense.

PwC recommends business leaders focus on three key areas to prepare effectively for cyberattacks:

1. C-suites must lead the charge and boards must be engaged – Senior leaders driving the business must take ownership of building cyber resilience. Setting a top-down strategy to manage cyber and privacy risks across the enterprise is essential;
2. Pursue resilience as a path to rewards, not merely to avoid risk – Achieving greater risk resilience is a pathway to stronger, long-term economic performance; and
3. Purposefully collaborate and leverage lessons learned – Industry and government leaders must work across organizational, sectoral and national borders to identify, map, and test cyber-dependency and interconnectivity risks as well as surge resilience and risk-management.

“Few business issues permeate almost every aspect of business and commerce like cybersecurity does today,” David Burg, global cybersecurity leader at PwC, said in the release. “Public-private coordination is critical to effectively addressing cybersecurity.”