UK businesses still failing to take cyber security seriously – PwC report
Nearly 10 per cent of UK companies don’t know how many cyber security attacks they have had this year and 14 per cent don’t know how they happened, according to PwC.
Turnaround and Transformation, the latest Global State of Information Security Survey released today by PwC in conjunction with CIO magazine and CSO, has revealed an escalation in the frequency, severity and impact of cyber-attacks.
However, the annual survey, which involved 10,040 executives from more than 127 countries, including 637 in the UK, also found that prevention, detection methods and innovation are also on the rise as business leaders’ focus on solutions that cut risks and improve business performance.
With cyber risks becoming an increasingly prominent issue across UK boardrooms, the report examines how business leaders are looking towards new innovations and frameworks to improve security and mitigate enterprise risk.
Colin Slater, cyber security partner, PwC in Scotland, said: “Our businesses are operating in an increasingly digitally-diversified world. The flip side of this is highly sophisticated and constantly evolving cyber risks that can impact their brand, the trust of their customers and stakeholders, as well as revenues -both directly and through penalties - if not dealt with effectively.
“This week’s ruling on Safe Harbour and the upcoming changes to data protection legislation have the potential to massively impact those Scottish companies operating globally, and I doubt that many have this on their risk radar at the moment or understand the legal implications of these changes. This in itself highlights the speed and transient nature of these risks as well as their wide-ranging impacts on boards, tech, risk, audit, and finance. Covering all the bases in a cost effectively manner is difficult.
“Here in Scotland, reality still hasn’t hit home that the vital cogs in the wheel of our growing Scottish economy – our financial services, oil and gas and manufacturing industries in particular – are not impervious to cyber threats.
“While we are aware of an increasing investment focus across most sectors there are still challenges translating the potential risks and matching these to business strategies, imperatives and on-the-ground investment.
“The results themselves aren’t a surprise but the scale, complexity and focus required to translate these into business risks, and developing robust action plans in response, is clearly still challenging organisations in Scotland as well as globally.”
Adapting traditional cyber security measures to an increasingly cloud-based world is an example of this effort, with considerable investments being made to develop new network infrastructure capabilities that enable improved intelligence gathering, threat modelling, defence against attacks and incident response.
According to the report, 69 per cent of respondents use cloud-based security services to protect sensitive data and ensure privacy and the protection of consumer information.
Big Data and the Internet of Things present a host of cyber challenges and opportunities. In the case of Big Data, often considered a cyber liability, 59 per cent of respondents are using data-powered analytics to enhance security by shifting security away from perimeter-based defences and helping organisations to put real-time information to use in ways that create real value.
As the number of internet-connected devices continues to surge, the Internet of Things will inevitably increase the stakes for securing cloud-based networks. Investment intended to address these issues doubled in 2015, but only 36 per cent of UK survey respondents have a strategy specifically addressing the Internet of Things.
Mr Slater added: “Strong, accountable leadership in our boardrooms is needed to tackle this issue head on with a focus on creating operating models where Cyber security has a voice at the top table.
“We are seeing the successful organisations take radical steps to understand their Cyber security posture, proactively check for live intrusions and move to a ‘proactive assurance’ mindset.
“Phishing, social engineering, direct attacks, third-party supplier compromises and payment manipulations are constant reminders that one chink in your defence is all it takes to significantly disrupt operations, erode confidence and bring regulators to your front door.
“While money doesn’t cure all ills, focussing investment at the right things and, crucially, tracking activity with meaningful facts demonstrates progress. We still have a long way to go on the maturity of risk understanding for cyber, but hopefully by 2020 - given the prevalence and persistence of the risk and the shift in awareness revealed by the survey results - it will be ‘just what we do’.”