Cloud attacks are top cyber risk concern: PwC 2024 Global Digital Trust Insights

• Mega breaches are increasing in number and scale — and cost
• Cyber budgets in 2024 are increasing, and at a higher rate compared to last year
• PwC cybersecurity specialists do not expect GenAI to lead to a surge in ‘catastrophic’ cyber attacks — contrary to the majority of respondents (52%) who said that such attacks could happen within the next year

9 October – PwC’s 2024 Global Digital Trust Insights survey found that the proportion of businesses that have experienced a data breach of more than US$1M has increased significantly from year over year - from 27% to 36%.

The survey of 3,800 business and tech leaders across 71 countries, also finds that companies are viewing the rise of Generative AI with a mixture of scepticism and excitement, and many are bulking up investments in cybersecurity to protect against cyberattacks.

Organisations who show greater maturity in their cybersecurity initiatives, report a greater number of benefits and a lower incidence of costly cyber breach of USD$1M, or a breach at all.

While businesses that have experienced a data breach have increased since PwC’s 2023 survey, the healthcare industry has been the most impacted. The global average cost of a damaging cyber-attack was reported to be $4.4M, while in the healthcare sector that cost was 25% higher - -$5.3 million. Nearly half (47%) of all healthcare organisation’s respondents reported a data breach of $1M or greater. 

As company size increases, so does the average cost of their most damaging breach. Companies with more than $10 billion report breaches of $7.2 million while those companies with less than $1 billion report $1.9 million in damages.

Bruce Scott, Cyber leader for PwC in the Caribbean, said: “Cybersecurity continues to be a priority for business leaders globally. Executives need to be agile and adapt to the changing market - and challenge the status quo by building security into the fabric of the organisation instead of reacting after there is a crisis.”

More than 40% of leaders said they do not understand the cyber risks posed by emerging technologies, like virtual environment tools, Generative AI, Enterprise Blockchain, Quantum Computing and Virtual Reality / Augmented Reality.

Anthony Zamore, Director, PwC Trinidad and Tobago said: “Organisations should adopt a Responsible AI toolkit to guide the trusted and ethical use of AI. Although it’s often considered a function of technology, human supervision and intervention are essential to AI. And along with security and privacy risks, they must now account for additional areas involving data risks, model and bias risks, prompt or input risks and user risks when they begin working with GenAI.”

The rise of ‘DefenseGPT’

Among business and tech leaders, there is increasing concern over the rise of Generative AI as it relates to cybersecurity. Another surge in cyber threats may be coming because GenAI can help create advanced business email compromise at scale. CISOs and CIOs should pay attention to a prevailing sentiment: 52% expect GenAI to lead to catastrophic cyber attacks in the next 12 months. Nearly eight in 10 (77%) agreed they intend to use GenAI in an ethical and responsible manner.

Three quarters of business and tech leaders expressed excitement about the potential of Generative AI:

• 77% agreed that “Generative AI will help our organisation develop new lines of business within the next three years;
• 74% agreed  “Employees’ personal use of Generative AI will lead to tangible increases in their productivity within the next 12 months;
• 75% agreed “Generative AI-driven processes within an organisation will increase employee’s productivity within the next 12 months”.

GenAI is strong at synthesising voluminous data on a cyber incident from multiple systems and sources to help leaders understand what has happened. GenAI can present complex threats in easy-to-understand language, advise on mitigation strategies, and help with searches and investigations.

The ‘Stewards of Digital Trust’

Cybersecurity improvements and consistency are required, with less than one-third of organisations reporting they are performing key leading cyber-related practices on a consistent  ‘usual’ basis. To explore this further, PwC developed an index to identify which organisations have cybersecurity teams that are demonstrating leading cyber practices on a consistent basis. But out of all the respondents, we found five percent of organisations that report consistent implementation of 10 defensive and growth-minded cyber practices; we call them the ‘Stewards of Digital Trust’.

More than half (53%) have revenues of $5B or greater and are more likely to be ‘high growth’ organisations having experienced and expect revenue growth of +10% in the past and upcoming 12 months (17% vs 9% overall).

These organisations are also more likely to say that the most damaging cyber breach in the last three years cost them less than $100K (28% vs 19% overall). While 36% of organisations overall experienced a $1M+ cyber breach, this reduces to 29% of Stewards of Digital Trust who cited experiencing a breach of this magnitude. They are also more positive about the potential impact of Generative AI – many strongly agree it will develop new lines of business (49% vs 33% overall) and they will use Generative AI tools for cyber defence (44% vs 27%). They are also more likely to disagree that ‘Gen AI will lead to a catastrophic cyberattack’ (33% vs 22% overall). They’re less likely to allow deployment of GenAI tools before having internal policies in place (31% disagree vs 19% overall and 53% agree vs 63% overall).

Business leaders are doubling down on cybersecurity investment

Despite the continued increase in climate change-related natural disasters, ongoing impacts of the Covid-19 pandemic, and rising inequality, business and tech leaders ranked digital and tech as the top risks they are prioritising for mitigation over the next 12 months.

The top three cyber-related threats reported are: cloud-related threats, attacks on connected devices, and hack-and-leak operations. Despite this, more than one-third of companies haven’t instituted risk management efforts, and only one-in-four have made cyber-resilience improvements.

Only two percent of organisations are optimising and continuously improving across all areas of cyber resilience.

Upskilling and reskilling

Organisations will need to think about their talent acquisition and retention strategies when it comes to keeping the workforce engaged and informed. Leaders cited “upskilling our current workforce fast enough to keep up with the demands of our organisation”; “rebalancing between in-house and outsourced or managed services”; and “identifying the right candidates for openings” as the three biggest priorities as it relates to cyber talent strategy. Organisations who have experienced a cyber breach of +$1M are more likely to rank competing for talent in the market (52%) in their top three priorities.