The consequences of suffering a cyberattack are serious, from costly and reputation-damaging disruption to operations, to having sensitive data compromised and damage to product quality. But the majority of companies are not preparing adequately either to reduce the likelihood of an attack or to deal with the fallout after one occurs. These are the findings of PwC's 2018 Global State of Information Security Survey, which gathered responses from 9,500 business and technology executives from 122 countries.
Disruption is biggest consequence of cyberattacks
The main findings of the survey were:
- disruption of operations is the biggest consequence of a cyberattack, according to 40 per cent of survey respondents;
- other serious consequences were: compromise of sensitive data (39 per cent), harm to product quality (32 per cent), and harm to human life (22 per cent);
- 44 per cent of companies surveyed do not have an overall information security strategy;
- 48 per cent do not have an employee security awareness training programme;
- 54 per cent don’t have an incident-response process;
- identifying the culprits is also a problem for many companies that are targeted: only 39 per cent said they are very confident in their attribution capabilities.
3 strategies to prepare for a cyberattack
PwC recommends three key areas of focus to prepare effectively for cyberattacks:
- Senior executives must commit to and channel resources into cyber resilience: setting a top-down strategy to manage cyber and privacy risks across the enterprise is essential.
- Recognise that achieving greater risk resilience will lead to stronger, long-term economic performance.
- Working across organisational, sectoral and national borders will help business and government leaders to identify, map, and test cyber-dependency and interconnectivity risks as well as surge resilience and risk-management.
Interdependent networks are a key weakness
The survey also highlights the interdependencies between business networks, which can cause a cascading effect when one network is hit by a cyberattack – and also by a non-cyber attack, such as a disaster event, which can often cause a power outage. The report states: “Case studies of non-cyber disasters have shown that cascading events often begin with the loss of power—and many systems are impacted instantaneously or within one day, meaning there is generally precious little time to address the initial problem before it cascades.”
The cyber threat from North Korea
It also notes the rising level of concern over cyberattacks from malicious hackers in other countries. It states: “Tools for conducting cyberattacks are proliferating worldwide. Smaller nations are aiming to develop capabilities like those used by larger countries. And the leaking of US National Security Agency (NSA) hacking tools has made highly sophisticated capabilities available to malicious hackers.”
This article in The Corporate Treasurer gives more detail on the current threat of cyberattack from criminal hacker groups associated with North Korea – and the threat is increasing, with the latest attack earlier this month targeting Far Eastern International Bank, based in Taiwan, in which $60 million was transferred in several cross-border payments via SWIFT. According to BAE Systems, the attack could have been carried out by the North Korea-linked hacking group Lazarus. BAE Systems stated: “In a story which reminds us of the Bangladesh Bank case – the culprits had compromised the bank’s system connected to the SWIFT network and used this to perform the transfers.”
Investors increasingly hold management accountable for losses due to political risk
Research by Willis Towers Watson and Oxford Analytica shows there is growing investor pressure on senior corporate executives to account for political risk exposure
Vital cybersecurity and data-security insights for CYA
Equifax hearing reveals some ideas for data security, but should you be worrying about your competitors and under reporting
5 actions for next week: cybersecurity, covenants, guarantees, hedges, forecasts
Interim treasurer Paul Stheeman gives his advice on next week’s tasks for the busy corporate treasury department