The Centrality of CybersecurityFollow @PwC
Cybersecurity is one of the most critical challenges of the digital age. The global growth of networks and data, fueled by technological innovation, has enabled society to build prosperity and quality-of-life improvements. This rapid, sweeping change has also created a long-term challenge: managing inherent security risks in digital technology as the world grows more cyber dependent and hacking threats escalate.
In PwC’s 21st Global CEO Survey, global CEOs ranked cyber threats as the business threat of greatest concern, and the №4 overall worry behind over-regulation, terrorism, and geopolitical uncertainty. Cybersecurity is a hot topic this year at the World Economic Forum’s annual gathering in Davos–an event that examines the major economic, political, technological, and social issues impacting our world. The World Economic Forum’s Global Risks Report 2018 says large-scale cyberattacks and data breaches are increasingly likely amid rising cyber-dependency. Yesterday, I took part in a panel discussion in Davos titled “Hack the Attack” where we debated some of the key challenges that face the public and private sector in working together to prepare for cyberattacks. An interesting discussion with a great group of experts and leaders, talking about the risks and what pragmatic actions we can take as leaders.
There is a massive opportunity before all of us–private and public sector stakeholders from around the world, industries of all kinds, and experts in a wide array of disciplines–to collectively build the security, privacy, and trust that the world needs.
The Magnitude of the Challenge
The high stakes of cyber insecurity are increasingly clear. As our reliance on data and interconnectivity rises, developing resilience to withstand cyber shocks — that is, large-scale events with cascading disruptive consequences — has never been more important. In our 2018 Global State of Information Security® Survey, where we survey 9,500 executives from 122 countries across all industries, leaders of organizations that use automation or robotics acknowledge the potentially significant fallout of cyberattacks:
- Forty percent of survey respondents cite the disruption of operations as the biggest consequence of a cyberattack, 39% cite the compromise of sensitive data, 32% cite harm to product quality, 29% cite damage to physical property, and 22% cite harm to human life.
- Yet, despite this awareness, many companies at risk of cyber attacks — and to be realistic, we are all at risk — remain unprepared to deal with them. Forty-four percent of the executives in the survey say they do not have an overall information security strategy, 48% do not have awareness training and 54% do not have an incident reporting process.
Cyber insecurity has not gone unnoticed among consumers. In our recent US Consumer Intelligence Series survey, only 25% of respondents say they believe most companies handle their sensitive personal data responsibly.
With rising threats to data integrity, security and availability, leaders in the public and private sector are also facing greater accountability. New rules on data security and privacy such as the European Union’s General Data Protection Regulation, UK data protection legislation, China’s cybersecurity law, the White House’s cybersecurity executive order, proposed US legislation related to the internet of things, cybersecurity rules for the financial sector in New York State and municipal cybersecurity efforts illustrate the increasing attention these issues are receiving from policymakers at the international, national, state and local levels. There are no silver bullets in cybersecurity, however, including regulations.
Bringing Together the Private and Public Sectors
Collaboration between policymakers, regulators and the private sector is vital given the rapid pace of the cyber threat environment. By building consensus around emerging voluntary standards for cybersecurity, privacy, and the nascent but mushrooming internet of things, organizations have the potential to implement nimble, flexible, and robust measures for managing emerging risks and to demonstrate headway to stakeholders. Technology developers that pursue responsible innovation of this sort will likely be better positioned to build trust with consumers and increase economic performance.
In addition to having good tactics to deal with particular malware threats, companies must proactively manage risks in a strategic way, rather than viewing them episodically or from a compliance standpoint.
With the right risk management foundation in place, it becomes possible to gain from connectivity without losing consumer trust and to monetize data while respecting privacy. Threat intelligence and information sharing capabilities can help stakeholders identify and counter emerging risks with greater speed and effectiveness. Leading-edge technologies for cloud security, data analytics and monitoring, authentication, and open-source software can give defenders powerful tools in cyberspace.
In addition, greater focus on risks associated with the internet of things and geopolitical threats can provide leaders the broader perspective needed to more capably manage cyber and privacy risks across their enterprises.
Next Steps for Leaders Everywhere
While there are regulations and focus areas specific to various industries and geographies, there are four overarching principles for the way forward on combating cyber risks:
- The need to significantly improve management of cyber and privacy risks is universal across the globe — regardless of the organization, sector, country or region — and will be vital for decades to come. As our 21st Global CEO Survey underscores, this is a business risk that requires the highest level of attention. CEOs need to embrace that challenge and focus on building the resilience needed to withstand disruptive cyberattacks and sustain operations — not just because of the risks, but because of the opportunities.
- As the risk of cyber attacks increases, companies and CEOs need to consider their own policies, programs, and internal safeguards. While many have these helpful policies and codes of conduct in place, it’s about what people and companies may not be doing — individual actions that perhaps don’t match a company’s protocols puts them at even higher risk of attack.
- Increased engagement, collaboration, and sharing of information among stakeholders has never been more important — but it needs to be substantial. We all need to push to make such endeavors as meaningful as possible.
- We need to take the stigma out of asking for help when it comes to managing cybersecurity and privacy risks. Wise leaders know when to ask for help. There are many lessons and insights available from an array of stakeholders and it would be a shame not to seize that opportunity and take advantage of them.