Cyber threats, especially ransomware, are now the No. 1 concern of CEOs in the U.S. and the No. 2 globally, according to a new PwC on why being cyber-ready now is not enough. CEOs are doing more than fret—they are putting their money where their mouths are, the survey said.
In the next year, 57% of respondents are making “significant investments” in tech, 52% in people and 50% in governance and process. By contrast, 22% are making “adequate” investments in tech, 28% in governance and process and 27% in people, according to the report.
This is not adequate, the PwC report said. “Cybersecurity transformations are either lagging behind digitization or merely keeping pace at most (63%) of companies. Neither is good enough, not at a time when the hits are coming fast and hard and show no sign of stopping,” the report said.
What it means to be cyber-ready
Investments, CEO and board attention and forward-looking CISOs make for a cyber-ready organization, according to the report. Organizations should be able to say two things: That they have secured their organization’s infrastructure, and that “when the inevitable breach happens, your stakeholders can trust your organization to respond quickly and protect their interests.”
Staying “on pace” with business transformations isn’t enough to make that commitment happen, the report said.
CEOs believe incidents are inevitable
The survey revealed that 64% of respondents expect a jump in reportable ransomware and software supply chain incidents in the second half of 2021.
“As companies rushed to adapt to pandemic-inspired changes in work and business models, many seem to have left security behind,” the report stated. “Half or more of the CISOs and CIOs in our survey say they haven’t fully mitigated the risks associated with remote work (50%), digitization (53%) or cloud adoption (54%).
At least half of respondent organizations reported getting hit by malware via software update (54%), attacks on software supply chain (51%) and business email compromise (50%).
Only 55% of respondents or fewer of victims said they were “well prepared” to address breaches.
“Software supply chain is now getting CEO and board attention,” the report said. “Companies run on code developed in-house, taken from open source and/or bought from tech vendors—in an ecosystem that runs on trust.”
CEOs and CISOs believe ransomware is where they will see the biggest jump in reportable incidents. Ransomware demands and payments are on the rise, the survey revealed. In the U.S., Canada and Europe, the highest ransom payment doubled to $10 million in 2020, a record that was toppled in March 2021 with news of a $40 million payment, the report said.
Mobile, IoT technologies and cloud are expected to be the fastest-growing threat vectors. Some 29% of CISOs and CIOs said they expect coordinated, organized nation-state attacks to surge this year, according to the report.
Cybercriminals edge out nation-states as the top threat actors among 31% of respondents, the report said.
There is some good news–PwC said more enterprises are taking “critical steps” than ever before to prepare their security organizations for future scenarios.
Further, 81% of respondents who quantify cyber risk said it helped increase productivity and focus on strategic matters. Quantification is useful for prioritizing risks and making the case to the board for cyber spending, and it got especially high marks in the energy, utilities and resources and retail/consumer sectors.
Additionally, CISOs and CIOs across all industries are prioritizing cloud security for cyber investments over the next two years, the report said.
Around half of the respondent organizations have also restructured their security teams and embedded them in product development and business teams, according to the PwC survey. Another 44% said they plan to do so this year and next.
“Successful CISOs now act as business enablers,” the report said. “They’re no longer saying ‘We can’t do it,’ but rather are asking, ‘How can we do it.'”
What organizations should do
PwC is recommending that organizations sharpen their threat modeling capabilities. “Effect threat modeling doesn’t happen just once, and it shouldn’t focus only on known methods of attack,” the report said. It requires “creativity and imagination.”
The firm also recommends that organizations assess their cyber risks early and often. They should also work on their resilience playbook with business units, developers and risk managers.
Further, organizations should review how they budget and modernize their budgeting process. “Cyber is finally getting its due. Companies are investing more and the C-suite is paying attention. But the expectations – and potential for disappointment – are high.”
Another important takeaway is to “make it your business to demystify cyber. Help those around you become cyber-savvy.” This includes speaking the language of the business and finding creative ways to explain complex cyber issues, the report said.
Editor’s note: This article has been updated.