Cyber security has come a long way in the last few decades. Once a reactive, IT add-on focused solely on technology, it has matured into a profession in its own right, with the cultural, technological and business understanding that is required to combat a growing threat landscape.
That’s the headline of PwC’s Digital Trust Insights 2021 report, which surveyed 3,249 businesses and technology executives around the world to find out what’s next in cybersecurity.
COVID-19 has changed the way people work. Employers and employees are embracing work-from-home models if not indeed restricted to them. The pandemic has also changed the way people live, with evidence pointing to a rise in the uptake of online shopping, telehealth and digital entertainment. In response, organisations are accelerating their digital transformation plans, and with that their cyber strategies.
A focus on resilience will be key for business, with the seismic nature of the global health crisis bringing an undeniable reality-check on just how robust, or vulnerable, they might be — and cyber is no exception. But increasing hardiness and improving incident response won’t be as simple as ‘hiring more cyber staff,’ and businesses will need to look within to address any gaps.
Between July and August, when the Digital Trust survey was conducted, only 19 percent of Australian respondents said that their businesses were fully onsite. Much more common were businesses with only ‘essential workers’ in the workplace (38 percent) or with less than full capacity (23 percent).
The health crisis and economic recession are stoking changes to Australian business landscape, and organisations are digitising their operations (such as via ecommerce, new business models and direct-to-consumer approaches) at surprising speeds. Thirty-nine percent of executives in Australia say they accelerated these plans, on par with the global figure of 40 percent.
Yet for Australian businesses, digital ambitions have been set much higher than simply ‘making do’ in a difficult situation. Eighteen percent (globally and in Australia) say their primary aspiration for change is to break into new markets. And in Australia, 27 percent say they are transforming to change core business models and redefine their organisations — higher than the global figure of just 21 percent and 25 percent in the US. Far fewer in Australia say they are undertaking transformation purely for efficiency (22 percent) compared to the global response (29 percent). Thirty-two percent of Australian executives cite modernisation and accessing new capabilities as reasons for transformation.
The speed of this change brings new risks, however, and cybersecurity measures need to keep in step. Nearly all respondents in Australia say they are planning to shift their cybersecurity strategy due to COVID-19. In fact, pleasingly, given Australian business’ more ambitious transformation plans, 60 percent reported an intent to bake cybersecurity and privacy implications into every business decision or plan off the back of COVID-19, compared with 50 percent globally. Such forward thinking strategies will be necessary given the uncertainty that lies ahead.
If the pandemic and subsequent economic downturn weren’t enough to deal with in a year, 2020 has seen a surge in intrusions, ransomware, data breaches and phishing attempts across the globe.1 In response, businesses are shoring up their defences, the survey found. Forty-five percent of Australian cyber executives say that they see an increase in resilience testing to ensure that if a disruptive cyber event occurs, critical business functions will remain up and running.
When asked to rank the likelihood of threat vectors affecting their industry, and the impact they expected them to have in the coming year, IoT and cloud services providers were ranked highly as targets, with Australian execs viewing them as more likely, and the impact more significant, than their global colleagues.
In regards to specific cyber events, high-likelihood, high-impact threats could increase with the aforementioned digitalisation efforts. For example, cyber attacks on cloud services providers are, for 66 percent of Australian respondents, considered to be ‘somewhat’ or ‘very likely’ to occur in their industry in the next 12 months. Disruptionware attacks on critical systems rank second, with 63 percent anticipating their likelihood. Ransomware attacks are similarly considered likely by 61 percent of respondents.
Notably, in all event categories, Australian cyber executives anticipate a higher likelihood and higher impact of incidents than global respondents. In comparison, US cyber execs, while also more cautious when it comes to the likelihood of these events than global counterparts, believe they will see less impact (low to mid 50s in percentage) than global or Australian executives do.
In terms of practices and approaches that will grow resilience in the face of such threats, 19 percent of Australian respondents (‘early switchers’) say they are already realising the benefits of cybersecurity teams collaborating more with the business in delivering organisational outcomes, 16 percent from improving the security teams skills, and 15 percent from greater CISO alignment and interaction with the CEO, leaders and directors. Many more (in the mid-high 20 percentage range) have implemented such practices at scale, or plan to start their implementation in the next two years, allowing them to improve their cybersecurity posture.*
Still, organisations have much to do to develop enterprise resilience, according to last year’s report and a September 2020 poll of risk executives. A key part of that readiness will be ensuring that businesses have the right cyber staff to support them.
More than half (51 percent) of executives in the survey’s global cohort say they plan to add full-time cybersecurity personnel over the next year. More than one-fifth (22 percent) say they will increase their staffing by 5 percent or more — but that likelihood drops to just 11 percent for Australian respondents.
Though 40 percent of Australian respondents believe they will see an increase in staff, the majority of those (29 percent) believe it will be at less than 5 percent. Considered more likely, is that cyber personnel will remain stable at current headcounts. A substantial 28 percent of Australian respondents, however, foresee a decrease, perhaps due to economic pressure from the pandemic or a view that cyber capabilities can be effectively outsourced.
The top roles cyber execs want to fill in Australia are security intelligence, cloud solutions architects, and analytical skills. Global responses rated similarly, however a significant problem lies in the fact that cloud security and security analysts are among the roles in shortest supply.2 Hiring managers face tough competition in the labor market, and globally, some 3.5 million cybersecurity jobs are expected to go unfilled in 2021.3
Enterprises that are feeling the pinch of the cybersecurity skills gap may find such talent in their own backyards. Businesses, according to the survey are hiring from within, offering upskilling to increase employee skills, in the same key areas they’re hiring for: digital skills, business acumen, and social skills.
For Australian survey respondents, computer programming, systems (eg. engineering) and business process acumen are high on the list of focus areas they intend to upskill existing teams in over the coming year. Data communication, cloud solutions and project management aren’t far behind.
In the past three years, Australian cyber teams report having faster response times to incidents and disruptions (83 percent compared to 78 percent in the US and 79 percent globally), increased prevention of successful cyber attacks (81 percent; US 79 percent; global 78 percent) and more successful outcomes for their organisation’s transformations (83 percent; US 78 percent; global 77 percent).
These are great achievements. However, with digitalisation efforts gaining pace and increasing ambition to redefine business models, there is little time to rest on cyber laurels. If hiring isn’t likely (or able) to be substantial, upskilling will have to fill in the gaps to ensure that Aussie organisations can build the resilience needed to ensure stability.
We encourage you to download the full Digital Trust insights 2021 report for further insights into the state of cybersecurity, including thought leadership on how cyber executives can encourage their businesses to provide budget for initiatives.
Visit PwC Australia’s cyber security page to find out more about cyber incident response and details on how we can help your organisation uplift its cyber maturity.
*See the Digital Trust Insights report for the full range of practices.
© 2017 - 2021 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. Liability limited by a scheme approved under Professional Standards Legislation.