Irish companies may be overlooking the riskiest cyber threats.
The majority of companies globally and in Ireland don’t fully comprehend the cyber risk that exists within their third-party networks – these are the risks brought about by the complexity of their business relationships including sales/supplier/ technology support networks.
This is the key finding of the PwC 2022 Global Digital Trust Insights Survey of 3,600 business leaders globally, including Ireland, which found that only 38% of Irish respondents had a ‘high’ understanding of the risk of data breaches through third parties (Global: 41%).
“Organisations can be vulnerable to an attack even when their own cyber defences are good; a sophisticated attacker searches for the weakest link – sometimes through the organisation’s supplier networks”
A further 24% had little or no understanding at all of these risks (Global: 20%).
The survey reveals that less than a third (29%) of Irish respondents have made ‘significant progress’ in minimising financial losses to cyber disruptions (Global: 40%).
At the same time, less than half (40%) are ‘very confident’ about the cybersecurity stance of their organisation – for example, only one in three (32%) say that cyber risks in their business operations are well mitigated (Global: 34%).
Globally, nearly seven out of ten (69%) of C-suite executive respondents said that they will increase their cyber budgets in 2022.
Ransomware and supply chain attacks are main threats of the day
The findings are a red flag in an environment where six out of 10 (62%) of the Irish C-suite respondents anticipate an increase in cybercrime in 2022 (Global: 60%).
A similar proportion (62%) expect an increase in ransomware attacks while 56% expect increases in malware. They also reflect the challenges organisations face in building trust in their data — making sure it is accurate, verified and secure, so customers and other stakeholders can trust that their information will be protected.
Notably, 59% of Irish respondents say that their organisations expect a rise in breaches via their software supply chain, yet only 32% have a high understanding of the cyber exposures arising from these third-party supply chains.
Similarly, 62% of Irish respondents expect a jump in attacks on their cloud services, but only 29% profess to have an understanding of cloud risks based on formal assessments. Global counterparts have a greater understanding of these cloud risks (37%).
The weakest links: People and suppliers
“Organisations can be vulnerable to an attack even when their own cyber defences are good; a sophisticated attacker searches for the weakest link – sometimes through the organisation’s supplier networks,” explained Pat Moran, PwC Ireland cybersecurity leader.
“Gaining visibility and managing your organisation’s web of third-party relationships and dependencies is a must. Yet, in our experience, fewer businesses than we would like are responding to the escalating threats that complex business models pose.”
Asked how their companies are minimising third-party risks, the most common answers in Ireland (similar to global responses) are: 41% are auditing or verifying their suppliers’ compliance; 44% are sharing information with third parties or helping them in some other way to improve their cyber stance and (38%) are addressing cost or time-related challenges to cyber resilience.
But there is more action to take: 71% of Irish respondents admit to not increasing the rigor of their due diligence compared to 62% for global counterparts. 59% failed to identify third-party threats before they procured this service (Global: 58%).
How to reduce complexity
A large majority of Irish respondents confirmed that the complexity of their organisation poses “concerning” cyber and privacy risks. Data governance (76%), cloud environment (72%) and data infrastructure (62%) ranked highest among areas of unnecessary and avoidable complexity.
“Simplification can be a challenge, but there is ample evidence to suggest that it is worthwhile for organisations in terms of improved cyber outcomes,” said Will O’Brien, PwC Ireland cybersecurity director.
“While around one in two (50%) Irish respondents said that their organisations had streamlined certain operations over the past two years (compared to a third for global companies), the ‘most improved’ cyber outcomes in our survey (the top 10%) were five times more likely to have streamlined operations enterprise-wide. These top 10% organisations are also 10 times more likely to have implemented formal data trust practices and 11 times more likely to have a high level of understanding of third party cyber and privacy risks.”
The upshot is that CEO engagement can make a difference. Executive and CEO respondents differ on how much support the CEO provides on cyber, with CEOs seeing themselves as more involved in, and supportive of, setting and achieving cyber goals than their teams do. But there is no disagreement that proactive CEO engagement in setting and achieving cyber goals makes a difference.
Executives in the “most improved” group, reporting the most progress in cybersecurity outcomes, were 12 times more likely to have broad and deep support on cyber from their CEOs. Most executives also believe that educating CEOs and Boards so they can better fulfill their cyber responsibilities is the most important act for realising a more secure digital society by 2030.
“The survey confirms that the most advanced organisations see cybersecurity as more than defence and controls, but as a means to sustain their reputation and brand loyalty and build trust with their customers,” said Pat Moran.
“As leaders of organisations, CEOs set the tone for focusing their cybersecurity teams on bigger-picture, growth-related objectives rather than narrower, short-term expectations.”