Getting Safe in Cyberspace is Now More Important Than Ever
Getting safe in cyberspace is now more important than ever
By Pat Moran, PwC Cyber Leader
Data is the lifeblood of businesses today. It is valuable to organisations but also to skilled cyber attackers. Increased automation and transitioning to cloud platforms is resulting in companies being exposed to new threats, making an effective approach to cybersecurity critical. Getting safe in cyberspace is now more important than ever.
PwC’s Irish 2021 CEO survey highlighted that nine out of ten Irish business leaders are concerned about cyber threats, and is a record high in all the years of the survey, having shot up from 78% last year and higher than global concerns (85%). However, the survey also revealed that more action to combat this crime is needed: just 27% plan double digit investment in cybersecurity and data privacy in the next three years, lagging global counterparts (31%).
With rapid digitisation and blanket remote working having hit all sectors, and the cyber thieves getting more sophisticated, the risks of a cyber attack have become even greater. Digital transformation also needs to happen with lots of checks and balances.
The infrastructure needed to enable digitalisation brings with it significant risks. The stakes are much higher than they were 12 months ago. Businesses have become reliant on technology for their very survival. As such, the risk of cyber attacks weighs heavily on CEOs’ minds.
The changes that happened last year are society wide. Organisations moved critical business processes and services online during the pandemic, and at haste. As a result, business resilience depends on cyber resilience, and any interruption to online services from cyber attacks may prove catastrophic. With every part of every organisation now more reliant on technology, and more reliant upon the technology of suppliers and other organisations within their ecosystem, business leaders need to appreciate the role they must play in securing their organisation. Securing a business goes beyond building the right technical controls. It is about simplifying the organisation to be securable. It is about assessing, understanding and managing the cyber risk impact of every business decision. And it is about recognising that much of cyber security risk originates from vulnerabilities outside their organisation. CEOs are right to be concerned about cyber security risk but the challenge they face is shaping their organisations to be securable. Also critical is ensuring the organisation’s staff are trained to recognise clues to any possible intrusions, actions which may result in a cyber attack.It is never too late to face the challenges and make the investment. We have all seen how attacks such as ransomware and phishing have increased during the pandemic to record high levels. Reliance is placed on online channels to sell products or services that hackers can take offline. In addition, the rapid acceleration of digital transformation programmes has led to the adoption of new processes, skill-sets, technologies and channels. They all bring with them new types of cyber risk, which are all increasing in complexity.Now is the time for companies to undergo a cyber health check.They need to understand where they have weaknesses and what they can do about them. Not having regular assessments and cyber health checks mean that when incidents occur, the result can be devastating. An assessment can take two to three weeks, based on a framework like ISO or NIST. It produces a report like an x-ray of where vulnerabilities lie. Having this intelligence gives companies the time to remediate in a controlled and measured way, rather than in a reactionary way if a cyber incident occurs. The five key actions to take now to be cyber safe are:1.Conduct an independent cyber health check. Identify an independent third party to complete a short assessment of cyber risks within your organisation.This assessment should be based on an industry standard and will produce a report which allows you to decide on the remediation investment required.2.Establish a Cyber Governance Forum. A group of senior stakeholders across the business that includes representatives of your Operations, Technology, Security and Legal teams should meet monthly to discuss remediation progress and report to the Board.3.Create a cyber incident response plan. Don’t wait for the incident. Like your fire drill, have a cyber incident response plan, including your communications plan, and rehearse this with management. 4.Cyber awareness. Your staff are a critical control. Establish a programme of continuous learning and phishing exercises to keep your people cyber aware. 5.Brief the Board. It is key to have the Board engaged on one of the biggest risks facing the company. Look to present to them quarterly and design separate briefing sessions to improve their level of understanding and readiness.