Advice for organisations facing the threat of cyberattacks

The economy in recent months and the pandemic the last couple of years have dominated headlines related to how organisations take care of business, but a less-often-highlighted area also has the full attention of organisation leaders: cybersecurity.

Of 3,522 senior executives who participated in PwC's annual Global Digital Trust Insights Survey, 50% listed "a catastrophic cyberattack" among the top five risks they are formally incorporating into their organisational resilience plans over the next 12 to 24 months. Cyberattacks ranked as the most common answer, outpacing even a global recession (45%) and a resurgent or new health crisis (42%).

The survey not only revealed that most organisations are taking cybersecurity seriously; it also spelled out in numbers why they should be taking the threat seriously: Twenty-seven per cent of respondents said their organisation suffered a data breach that cost them between $1 million and $20 million in the past three years. Sixty-five per cent of all respondents expect their organisations to spend more on cybersecurity in 2023.

Beyond the numbers, the survey is accompanied by a playbook of sorts, addressing what questions key stakeholders — in consultation with the chief information security officer (CISO) or the like — need to be asking and what actions need to be taken to move towards mitigating the risk.

For example:

CFOs

Questions to ask: "Are we spending enough and in the right areas? Are we getting the right amount of cyber risk reduction from our investments?"

Call to action: As you modernise and simplify IT, ask how each incremental amount you spend can reduce the most cyber risk. Companies that know the monetary costs of risk are more likely to secure by design — and save.

Chief risk officers (CROs)

Questions to ask: "How does cyber risk profile affect our organisation's risk tolerance? How engaged are the business unit leaders in managing cyber risks?"

Call to action: Take an "all hazards" approach to identifying sources of disruption and build a resilience programme that integrates the core competencies of crisis management, business continuity, disaster recovery, and incident response to respond across the enterprise in a cohesive and consistent manner.

Boards of directors

Questions to ask: "Is management doing enough? How can we, the board, exercise better governance over the organisation's cybersecurity?"

Call to action: Encourage CISOs to speak your language. Ask to take part in exercises that help you understand your organisation's cyber resilience.

While organisations are taking positive steps, cyber criminals continue to take steps of their own and may be outpacing their victims. The most recent Global State of Enterprise Risk Oversight survey found that while 61% of business executives in the Europe & UK region said the volume and complexity of risks has increased in the past five years, just 31% described their organisation's risk management oversight as "mature" or "robust".

— To comment on this article or to suggest an idea for another article, contact Bryan Strickland at Bryan.Strickland@aicpa-cima.com.