Only 56% of businesses have an information security strategy, according to PwC. Here's how to fix that.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- 87% of global CEOs said they are investing in cybersecurity to build trust with customers. — PwC, 2018
Only 56% of businesses have an overall information security strategy, according to a new report from PwC—a major risk in an era of increasingly sophisticated attacks and high-profile breaches that cost companies millions.
A failure to consider privacy risk management puts global business leaders at risk, according to the Global State of Information Security Survey 2018. PwC surveyed 9,500 executives in 122 countries, and found that CXOs have much work to do to build up their companies' cybersecurity posture.
SEE: Information security policy (Tech Pro Research)
"There are very few companies that are building cyber and privacy risk management into their digital transformation correctly," Sean Joyce, PwC's US cybersecurity and privacy leader, wrote in the report.
However, there are some bright spots. Some 87% of global CEOs said they are now investing in cybersecurity to build trust with customers, the report found. And companies are increasingly deploying advanced authentication technologies, including biometrics (60%), software tokens (59%), hardware tokens (55%), cryptographic keys (53%), and multifactor authentication (51%).
About two-thirds of respondents worldwide said their organization has put a chief privacy officer (CPO) or similar executive in charge of privacy.
Here are six tips for global business leaders to improve their enterprise security posture.
1. The C-suite must own management of digital risk
As cybersecurity and privacy become paramount both within and outside every company, CEOs must lead rather than delegate data protection and privacy strategies, the report said. CEOs must also lead the development of strategies for mitigating cyberattacks. A CPO should have a seat at the table to support the CEO's decision making.
2. Engage your board
Boards should be continually informed about the C-suite's plans to address emerging risks in data protection and privacy, according to the report, which requires a strategy for board education. Right now, only 31% of CXOs said their corporate board directly participates in a review of current security and privacy risks, the report noted.
SEE: Network security policy template (Tech Pro Research)
3. Prioritize data-use governance
Businesses that learn to use data in more innovative ways will find more opportunities, but also more risks, the report noted. That means CXOs must understand the most common risks, such as lack of awareness of about data collection and retention activities, and create a data-use governance framework to guide their work in this area.
4. View GDPR as an opportunity
CXOs should view GDPR as a chance to align their organization—no matter what countries it does business in—to more protective policies, the report said.
5. Consider the risks of regulation abroad in a strategic context
The "balkanization" of the internet means more companies will likely face pressures from foreign governments to provide access to sensitive intellectual property, such as source code, the report said. Companies should make decisions on how to respond to this pressure by considering the cybersecurity, privacy, and trust risks that could arise from offering up that information.
6. Champion responsible innovation
Companies across all industries should support and participate in the development of emerging standards that could help put privacy principles into practice. Embedding cyber and privacy risk management into digital transformation efforts will help CXOs better withstand cyber threats, and gain customer trust and a competitive advantage.
"Companies that seize the opportunity to manage data protection and privacy risks are expected to be better positioned to thrive in the data-driven economy and build resilience in digital society," the report stated. "Businesses that rush to transform digitally without building in security and privacy are on the path to obsolescence."
- Special report: Cybersecurity in an IoT and mobile world (free PDF) (TechRepublic)
- Your failure to apply critical cybersecurity updates is putting your company at risk from the next WannaCry or Petya (ZDNet)
- Ransomware: A cheat sheet for professionals (TechRepublic)
- 3 things you need to know about cybersecurity in an IoT and mobile world (ZDNet)
- How to make your employees care about cybersecurity: 10 tips (TechRepublic)