Ransomware cyberattacks are big news these days. In May, WannaCry, the malicious, self-replicating cryptoworm, stole headlines after it crippled hundreds of thousands of computer systems worldwide, including those belonging to the UK’s National Health Service and the Russian Interior Ministry. This episode is the latest in a series of high-profile hacking incidents that collectively underscore the need for public and private organisations to proactively manage cyber risks. So what are leaders doing to keep society safe from emerging threats in cyberspace?
Our Global Economic Crime Survey 2016 found that cybercrime is now the second most reported economic crime after misappropriation of assets. Almost a third (32%) of organisations admitted that they had already been affected by cybercrime with a similar number (34%) believing it would impact them within the next two years. Ominously, another 18% of respondents had no idea whether their organisation had been the target of cybercrime or not.
Unfortunately, falling victim to a cyberattack can be a very expensive business. A handful of respondents (approximately 50 organisations) said they had suffered losses over $5 million. Of these, nearly a third reported cybercrime-related losses in excess of $100 million. Many organizations have significant room for improvement in terms of proactively managing threats in cyberspace. . Just 37%, for example, have a cyber incident response plan in place.
It seems that some CEOs lack confidence in their readiness to handle a major crisis such as a cyberattack. According to a recent CEO Pulse survey, 65% of CEOs feel most vulnerable about their ability to gather information quickly and accurately during a crisis. Over half worry about how they will communicate with both employees and external stakeholders, while 38% feel there is a lack of clarity over when management should take responsibility and when individual teams should make independent decisions.
This confusion could explain why some organisations bungle their responses to data breaches. As PwC’s Paul Robertson comments on the CEO Pulse survey results “getting the response right actually relies on a pro-active effort; planning ahead, being aware of the risks, building the response structures and exercising that capability.” Leaders need to build their own confidence that their capabilities in defence and response are robust and to be well-informed before a breach ever occurs.
So what can leaders do to resist a cyberattack? According to PwC’s David Burg and Sean Joyce, effective resistance has “less to do with any particular technological factor, and everything to do with proactive risk management in general.”
The methods that companies use to secure large amounts of data today are riven with vulnerabilities and weaknesses. Data is relatively easily compromised, making it a tempting target for cyber criminals. Yet companies will face increasing pressure to correct such laxness once the General Data Protection Regulation (GDPR) is introduced in May 2018. This regulation will fundamentally change how personal data is handled in all EU member states and put greater responsibilities on organisations that process information.
Our report, Technology’s role in data protection, underscores the need to have safeguards for personal data designed into the very fabric of business operations and the technology behind them. The way that people, processes and technology interact during the handling of personal data will change forever.
Significantly, the GDPR is not just an issue for business leaders in Europe. The punitive fine that companies risk if they do not comply – potentially 4% of global revenues – is causing boards around the world to take the GDPR very seriously indeed and to set budget aside for it. A PwC survey in January found that more than three-quarters (77%) of US companies plan to allocate $1 million or more to GDPR readiness and compliance efforts.
In some cases, leaders have been slow to understand emerging cyber risks and to proactively prepare by developing incident response plans. Encouragingly, however, our Global State of Information Security® Survey 2017 shows that organisations are starting to catch up. They are investing in innovative cybersecurity measures and privacy safeguards, both to manage threats and to achieve competitive advantage. They are also thinking more broadly about cybersecurity and privacy. More than half of respondents say they collaborate with external partners to improve security and reduce risks. Cybersecurity also remains a key topic for policymakers. In the United States, for instance, the White House recently released a cybersecurity executive order.
Undoubtedly, the effective collection and management of customer data presents great opportunities to organisations. Gaining from connectivity without losing trust is a delicate balancing act, however. This is something that CEOs clearly appreciate since 69% of respondents to our 20th CEO Survey believe that the way in which they manage people’s data will differentiate them from competitors.
As people’s interactions with organisations become ever more automated, data-driven and virtual, CEOs are paying close attention to how technology is changing human behaviours. More than two-thirds of CEOs are convinced that it is harder to gain and retain people’s trust in an increasingly digitalised and connected world. That’s why it is imperative that their organisations manage and protect the data they collect in a way that helps to establish trust in future.