Swiss companies underestimate the threat posed by cybercrime: KPMG study

Swiss businesses are ill prepared for cyberattacks, much too reactive in their approach and rely too heavily on technology while neglecting the human factor, according to a KPMG study released on Wednesday.

The study, titled Clarity on Cyber Security, found that a majority (63%) of the companies surveyed indicated their organization could certainly be an attractive target for cyberattacks, while some three-quarters of the respondents said that they have increased their cyber defence budgets over the past five years.

The study conducted by KPMG Switzerland was based on a combination of qualitative interviews with individuals and an online questionnaire of more than 60 companies. Individual interviews were conducted with C-level partners (CEO, COO, CIO, CMO) from a wide range of industries.

“In addition to the theft of customer data, intellectual property and business secrets, the perception of risks posed by cyberattacks is increasingly being extended to include attacks that disrupt business and production processes as well,” KPMG Switzerland said in a statement. “In fact, the economic damage caused by cybercrime in Switzerland came to around CHF 200 million last year.”

Related: Senior information security officials in U.K. do not trust cyber insurance products will pay out: KPMG

Due to the “constant, rapid state of flux” regarding cyberspace threats, nearly all (95% of) companies are “convinced that they are unable to protect themselves against the growing threat of cybercrime on their own,” the statement says. Some 51% of those surveyed do not expect to be able to fully prevent cyberattacks. 

“In light of that, it becomes even more important that attacks are identified as quickly as possible, that this is done in a very targetted manner and that any attack detected triggers an appropriate response,” said Matthias Bossardt, head of cyber security at KPMG Switzerland, in the statement. “Only 53% of the Swiss companies that took part in the survey even expect to identify attacks and also have the ability to respond appropriately. Less than half of them have contingency plans in place. And just 14% of enterprises use simulations and drills to test their contingency plans for effectiveness.”

Furthermore, 59% of the companies surveyed are either unconvinced that their contractors and vendors understand how to protect themselves against cyberattacks or do not have any information on the matter. Only 36% of companies set down cyber security requirements in their contracts with third parties and just 14% verify compliance with those requirements. “Considering how many successful attacks have already been made on contractors and vendors, this is an area where businesses have a lot of catching up to do,” Bossardt argued. 

According to the study, only 44% of people in executive management have a sufficient understanding of the various aspects of cybercrime as those pertain to their own company despite the fact that 54% of those surveyed are of the opinion that their cyber experts communicate effectively with senior management.

Related: Cyber attacks major concern for small business owners in the United States: study

“In light of the threats lurking in cyberspace, their behavior is still much too reactive: 75% of those surveyed specified concrete incidents as the most important driver of efforts to intensify security measures,” the statement said. Since merely half of the companies even attempt to calculate the losses sustained as a result of cyberattacks, 39% of the companies (32% of SMEs and 50% of large corporations) are unable to put a monetary figure on damage already done and identify trends.”

Since cybercrime by its very nature involves an extremely technical component, many companies make the mistake of focusing primarily on technology to combat it, KPMG argued. 61% of the respondents indicated that they concentrate primarily on technology, thus failing to pursue a comprehensive approach and only inadequately factoring in the human element. “While 75% of companies conduct employee training courses to boost awareness of the topic, many attacks are still succeeding because they exploit the human factor,” said Gerben Schreurs, partner in forensics at KPMG Switzerland.