We often talk about raising cybersecurity awareness among employees as the first step an organization should take to better manage end-user risk. But more steps need to be taken — including education, application of cybersecurity best practices, and ongoing efforts to build a top-down culture of security — in order for organizations to see true and lasting improvement.
The same can be said of strengthening overall cybersecurity postures. Certainly, infosec professionals are very aware of the ramifications of cyberattacks. However, key findings from the 2018 Global State of Information Security® Survey (GSISS) show that “despite this awareness, many companies at risk of cyberattacks remain unprepared to deal with them.”
Survey Says: Organizations Need to Think About Resilience
The results of PwC’s GSISS are based on responses from more than 9,500 executives — CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security practices — in more than 120 countries. This year’s survey focused on comprehension and management of emerging risks. As noted in the key findings paper, “developing resilience to withstand cyber shocks — that is, large-scale events with cascading disruptive consequences — has never been more important.”
Given the current security climate, infosec professionals everywhere are clearly aware that a cybersecurity breach can have disastrous consequences. However, it’s not clear from the GSISS that executives at all levels fully grasp the magnitude of cyber risk. For example, when asked about anticipated results of a successful cyberattack against automation and/or robotics systems — a type of breach with both local and wide-ranging implications for a victimized organization — the responses seem to show that many executives aren’t acknowledging the potential fallout:
- Disruption of operations/manufacturing: 40%
- Loss or compromise of sensitive data: 39%
- Negative impact to quality of products produced: 32%
- Damage to physical property: 29%
- Harm to human life: 22%
Other responses also indicate a general lack of preparedness, with far too many organizations failing to implement basic prevention and response functions. The report states, “Many key processes for uncovering cyber risks in business systems — including penetration tests, threat assessments, active monitoring of information security, and intelligence and vulnerability assessments — have been adopted by less than half of survey respondents.” Here are some other worrying gaps:
- 54% of respondents said their organizations do not have an incident response process
- Only 50% conduct background checks
- 48% do not have an employee security awareness training program
- 44% do not have an overall information security strategy
- Only 39% said they are confident in their cyberattack attribution capabilities
Many organizations also lack definitive cybersecurity leadership and collaborative processes:
- Just 52% of respondents said their organizations employ a CISO
- Only 47% have dedicated security staff to support internal business operations
- Just 44% said their corporate boards actively participate in overall security strategies
- 42% have no formal process for collaborating with others in their industry
As noted by Sean Joyce, PwC’s US Cybersecurity and Privacy Leader, “Many organizations need to evaluate their digital risk and focus on building resilience for the inevitable.” For advice on how to do just that, access the Strengthening digital society against cyber shocks paper, the first in a series of key finding from the 2018 GSISS.