Despite the rise of ransomware and other malicious attacks, 44% of companies worldwide said they do not have an overall information security strategy, according to the 2018 Global State of Information Security Survey from PwC.
Further, 48% of the 9,500 executives surveyed across 120 countries said they do not have an employee security awareness training program, and 54% said they do not have an incident response process.
"Many organizations need to evaluate their digital risk and focus on building resilience for the inevitable," said Sean Joyce, PwC's US cybersecurity and privacy leader, in the report.
Cybersecurity preparedness varies widely between countries worldwide, PwC found. Nations most likely to employ an overall security strategy include Japan (72%) and Malaysia (74%). Both countries are in East Asia and the Pacific, where the World Economic Forum says cyberattacks are among the top five business risks.
SEE: Information security incident reporting policy (Tech Pro Research)
Business leaders must take greater responsibility for building cyber resilience in their companies, the report stated. In the private sector, leaders responsible for driving business results must also be held accountable for the associated risks of doing business. Boards must also exercise oversight and proactive risk management, PwC noted.
However, only 44% of companies reported that their corporate boards actively participate in security strategies or investment plans.
"Many boards still see it as an IT problem," Matt Olsen, co-founder and president of business development and strategy for IronNet Cybersecurity, who formerly led the US National Counterterrorism Center, said in the report. Perhaps due to their lack of involvement, few board members said they feel confident that their companies are properly secured against cyberattacks, according to the National Association of Corporate Directors' 2016-2017 surveys of public and private company directors.
The role of the CISO continues to grow in importance, with more of these professionals reporting directly to the CEO now than in the past, the report found. Some 52% of respondents said their organizations employ a CISO, while 45% said they employ a chief security officer. Some 47% said they employ dedicated security personnel to support internal business operations.
"The CISO must help the board understand where the company stands in providing cybersecurity for the company networks," Keith Alexander, the founder and CEO of IronNet Cybersecurity, who formerly led US Cyber Command and the National Security Agency, said in the report. "The information provided should include any cyberattacks that have occurred, as well as shortfalls in training, equipment and tools in the cyber domain. The CISO must highlight shortfalls so the board can execute their responsibilities in understanding and addressing risks facing the company."
PwC offered the following five tips for business leaders to follow to better protect their companies from attacks.
1. Engage the C-suite and the board
Senior leaders driving the business must take ownership of cybersecurity policies and practices, the report stated. Setting a top-down strategy to manage cyber and privacy risks across the enterprise is key, and a risk management strategy should be informed by understanding the threats facing the organization, and knowledge of which assets require the most protection.
2. Work to achieve resilience, not to simply avoid risk
Companies that achieve greater risk resilience will see stronger, long-term economic performance than those that take a more reactionary stance, the report noted. For example, the report said, the Japanese companies that built business-continuity management procedures into their enterprise risk management programs before the 2011 tsunami were able to resume operations faster than their competitors.
3. Purposefully collaborate, and leverage lessons learned
Industry and government leaders must work across organizational and national borders to identify, map, and test cyber-dependency and interconnectivity risks, the report said. Leaders must also work together to deal with problems such as accountability, liability, responsibility, and consequence management.
4. Stress-test interdependencies
All industries worldwide should conduct stress tests with simulated cyberattacks designed to inform risk management, the report said. These stress tests should be able to answer the question, "Can I withstand the failure of others on whom I depend?"
5. Focus more on risks to data manipulation and destruction
Integrity will soon take the place of confidentiality as the most important goal of cybersecurity in the private sector, according to computer security analyst and risk management specialist Dan Geer, cited in the report. This can better help companies recover and restore data after a major cyberattack. The growing use of blockchain will likely impact this as well, the report noted.
"The bottom line is that leaders can seize the opportunity now to take meaningful actions designed to bolster the resilience of their organizations, withstand disruptive cyber threats and build a secure digital society," according to the report.
Want to use this data in your next business presentation? Feel free to copy and paste these top takeaways into your next slideshow.
- 44% of companies worldwide do not have an overall information security strategy. -PwC, 2017
- 44% of companies worldwide report that their corporate boards actively participate in the companies' security strategies or investment plans. -PwC, 2017
- 52% of companies said their organizations employ a CISO, while 45% say they employ a chief security officer. Some 47% said they employ dedicated security personnel to support internal business operations. -PwC, 2017
- Why traveling CEOs and coffee shops are your company's greatest security risks (TechRepublic)
- Why SMBs are at high risk for ransomware attacks, and how they can protect themselves (TechRepublic)
- AI, IoT and the end of Moore's Law add to US national security worries (ZDNet)
- Information Security Certification Training Bundle (TechRepublic Academy)
- Security awareness and training policy (Tech Pro Research)
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Senior Editor for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.