Build resilience for any scenario

The threat outlook for the next year

In these uncertain times, businesses want certainty. Forty percent of executives in our Global DTI 2021 survey plan to increase resilience testing to ensure that, if a disruptive cyber event occurs, their critical business functions will stay up and running.

The likelihood of cyberattack is greater in 2020 than ever before. The year has brought a surge in intrusions, ransomware, and data breaches, along with an increase in phishing attempts.

We asked executives to rank the likelihood of cyber threats affecting their industry, and the impacts on their organizations, over the coming year. IoT and cloud service providers top the list of ‘very likely’ threat vectors (mentioned by 33%), while cyber attacks on cloud services top the list of threats that will have ‘significantly negative impact’ (reported by 24%).

Threats, actors, and events: relative likelihood and impact

(Respondents who have selected 'Don't Know' for Likelihood OR 'Impact Unknown at this time' for Impact have been excluded from this analysis to ensure that the same base is used on both scales.)

Relatively high-likelihood, high-impact threats

More and faster digitization means an increase in digital attack surface and potential for harm to the business. Most likely to occur in the next year and potentially most damaging, survey respondents said, are attacks on cloud services, disruptionware affecting critical business services (operational technology), and ransomware. Are your investments addressing these threats?

Fifty-five percent say it’s likely or very likely that their cloud service provider will be threatened in the next year, 45% say the impact would be negative or very negative. Fifty-seven percent deem an attack on cloud services to be likely, and 59% say the impact would be negative or very negative. A similar number (56%) rate a ransomware attack likely or very likely over the next year, and 58% say the consequences would be negative or very negative.

Technology companies are attuned to the threats on cloud services: more executives in the technology, media, and telecommunications industry (TMT) assign “very high” likelihood to such threats.

Relatively low-likelihood, high-impact threats

Next, we come to a cluster of threats considered low-likelihood, high-impact. Business leaders have been wrong before, however: in the World Economic Forum’s Global Risk Report 2020, ‘infectious diseases’ was deemed an unlikely threat. We can’t predict the future; we can only plan for it. Have you tested resilience plans for a wider range of threats?

In this category are disinformation attacks (54% likelihood and negative impact) and threats sponsored by nation-states (48% likelihood, 51% negative impact) and competitors (53% likelihood, 56% negative impact). Executives in industrial manufacturing, financial services (FS) and TMT are particularly attuned to nation-states as threat actors.

Organizations have much to do to develop enterprise resilience, according to our study of resilience last year and a September 2020 poll of risk executives. Going forward, a key factor for most organizations will be the orchestration of separate business continuity, disaster recovery, and crisis management functions in most organizations.

Relatively high-likelihood, low-impact threats

Relatively high in likelihood but lower in impact are ever-present threat vectors, such as attacks via IoT (65% likelihood, 44% negative impact) and cloud providers as well as those posed by third parties (49% likelihood, 52% negative) and social engineering (63% likely but negative impact for just 49%). Health industry executives are particularly concerned about the impact of attacks via third parties.

Good cyber hygiene is imperative to stave off these threats. Talent and tools that harness data in real time to detect threats and respond to them are progressing rapidly.

How ready are you for the coming threats?

More executives in FS, TMT, and health industries think misinformation and ransomware are very likely to occur in the next year. Executives in energy, utilities, and resources are more likely to predict a significant negative impact from almost all threats.

If you were to draw up a likelihood-impact grid containing the cyber threats, actors, and events your organization faces, what would it look like? How is your cyber spending allocated to address these?

And how would the cyber risks compare against the other threats your organization faces? “Aggregating information security risk and comparing it to all the various other risks that exist within the organization is powerful, and it's how organizations should look at enterprise risk,” says Adam Mishler, CISO, Best Buy.

More than three-quarters of executives in our Global DTI 2021 survey say that “assessments and testing, done right, can help them target their cybersecurity investments.”

“Aggregating information security risk and comparing it to all the various other risks that exist within the organization is powerful, and it's how organizations should look at enterprise risk.”

Adam MishlerCISO, Best Buy
Follow us

Contact us

Sean Joyce

Sean Joyce

Partner, Global Cybersecurity and Privacy Leader, PwC United States