Organisations become increasingly complex as they grow — to avoid the associated risks, simplification is necessary
Data insights are critical to cyber and business strategy, but a good data trust foundation is needed for accuracy.
Businesses are facing increasing cyber risks from third-party relationships and software supply chains.
As an organisation’s system interdependencies grow more complex and digital connections multiply, so too does the risk of a cyber breach. Attackers are on the hunt for vulnerabilities within networks as 2021 shapes up to be one of the worst on record for cybersecurity.
In this year’s annual survey, PwC Australia's 2022 Global Digital Trust Insights (global version), takes a look at the intricacies of cybersecurity and asks, is business now too complex to secure? Leaders are rightly worried as the increasing entanglement of technologies and business poses cyber and privacy risks. Not all technology can be simplified, but where it can, it must be done consciously and deliberately — and the C-suite has a critical role to play.
The report asks four questions that will help align the business to yield significant cyber protection dividends. In simplified form, these are:
1. Can the CEO make a difference to your organisation’s cybersecurity?
According to PwC’s 24th Annual Global CEO Survey, 95 percent of Australian CEOs view cyber attacks as their number one threat to growth. Yet the findings of this year’s Digital Trust Insights suggest there is an expectations gap at play, with CEOs thinking they are more involved in, and supportive of, setting and achieving cyber goals than their teams believe they are. According to the executives surveyed, CEOs are seen to be more likely to take part in cyber and privacy issues only after a breach, compliance review or during the discussion of key metrics in board meetings. Given the CEO’s role in instilling culture, this mismatch could spell disaster if a false sense of security pervades the business.
The gap also rears its head when respondents are asked how much support the CEO provides the CISO. CEOs fairly consistently perceive they provide adequate resources and funding, help embed cyber and privacy in key operations and business decisions, and empower cyber leadership to clarify roles and responsibilities more than their non-executive counterparts believe they do.
The CEO’s engagement and support wields long term impact — globally executives in most regions say that educating CEOs and boards to better fulfil their cyber role is the most important aspect of a more secure society. With 70 percent of Australian businesses not getting the support they need from the top, it’s time for CEOs to make explicit statements establishing the imperative for security and privacy organisation-wide, empowering and supporting their CISOs and modify business/operating models based on their advice.
2. Is your organisation too complex to secure?
Cybersecurity relies on knowing what’s happening across business functions, and when an organisation is overly complex, it’s very easy for this to become difficult. Seventy-eight percent of the C-suite surveyed in Australia (consistent with their global counterparts) say their companies are unnecessarily and avoidably too complex posing concerning cyber and privacy risks.
Complexity isn’t a bad thing, in and of itself — as a business grows, it’s often a normal by-product. The larger an organisation, the more people and technology it needs to service customers. But the associated risks can easily go unnoticed or ignored until an attack occurs. Simplification can improve security, yet only 31 percent of survey respondents have completed any streamlining of their operations — and one fifth haven’t done anything at all or are just getting started.
Globally, there is a consolidation of tech vendors and applications occurring in an attempt to reverse the tangle of software and tech stacks. However, when asked which simplification initiatives were priorities for their organisation, survey respondents couldn’t choose, giving near equal importance to all of them.
Moving to a cloud-first approach, when done right, could certainly help — allowing for flexibility and accelerated innovation while simplifying processes and IT architecture. Businesses should make sure to include the CISO and security teams early on in any migration or adoption.
3. How do you know if you’re securing your organisation against the most important risks?
Data is essential in being able to understand risks and opportunities, but it needs to be the right data. For data trust — that is, accurate, verified and secured data — a good foundation is needed. Over a third of respondents believe they have mature, fully-implemented data trust processes in place when it comes to governance, discovery, protection and minimisation. But nearly one fifth have no formal data trust processes at all and only one third report having a full, formal data governance program.
Data is the asset that attackers covet most, so companies must minimise the risk by minimising the target. To start, they should keep only what they need and protect what they do have. Drafts, duplicates, old data (from customers or employees) and other low-value data is likely unnecessary to store, especially when high-value data should take precedence. It is not only a risk for hackers, but a potential compliance and regulatory issue too.
Fewer than one in three Australian businesses say they’ve integrated analytics and business intelligence tools into their operating model, meaning they’re also likely losing out on being able to turn data into insights for autonomous threat detection. The intel on threats from data, and the tools that help to surface, explain and use it, helps executives make better decisions and risk management calls, so it’s powerful in its own right — and in empowering boards and CEOs to increase investment.
4. How well do you know your third-party and supply chain risks?
Third-party risks are a major blind spot that cyber attackers are increasingly willing to exploit, however, the complexities of business partnerships and vendor/supplier networks are obscuring these risks. Only 41 percent of respondents say they fully understand the risk of data breaches through third parties. Nearly one fifth has little to no understanding of these risks at all. Executives are aware of the risk of software supply chains — yet relatively few have formally assessed their exposure in this regard.
As digital interactions have become cheaper and more common, the cost of multiple partnerships has gone down. Consequently, dependence on third parties continues to rise. Over the past ten years, vendors and hijacked software updates have accounted for 60 percent of software supply chain attacks and disclosures.1 Even when an organisation has good cyber defences, lax protection on the vendor side allows attackers a new way in. Detecting and stopping these software-based attacks can be very difficult given the interdependencies of components, therefore mapping your third-party relationships and dependencies for visibility is a must. Software vendors should be scrutinised against performance standards and testing, and a third-party tracker can help find weak supply chain links.
Collaboration is increasingly important to an organisation's cyber-business ecosystem, such as the sharing of threat intelligence. So far, not much is being done. Fewer than one-third of respondents said their public-private collaboration efforts are ‘very effectively’ helping them achieve their cyber goals. Informal industry sharing groups that allow free flow of information (without fear of repercussions) still need to be established.
Want more? Hear about the results of this year's Global Digital Trust Insights Survey, revealing the current thinking and future outlook of over 3,600 business, technology, and security executives at our free virtual event on Thursday, 18 November.
© 2017 - 2021 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation.