A catastrophic cyber attack is the top scenario in 2023 resilience plans. Such an attack would surely put C-suite alliances to the test. Cybersecurity has become a more dynamic field, rapidly adjusting and shifting to keep apace with business inventiveness. This agility is what’s needed for the tougher challenges ahead. How can each of you continue to make a difference? Where should CISOs and cyber teams wield influence for the greatest effect?

According to PwC Research, 22% of respondents are executives in large companies ($1 billion and above in revenues); 16% are in companies with $10 billion or more in revenues. 

The 2023 PwC Global Digital Trust Insights is a survey of 3,522 business, technology, and security executives (CEOs, corporate directors, CFOs, CISOs, CIOs, and C-Suite officers). Female executives make up 31% of the sample.

Respondents operate in a range of industries: Industrial manufacturing (24%), Tech, media, telecom (21%), Financial services (20%), Retail and consumer markets (18%), Energy, utilities, and resources (9%), Health (5%), and Government and public services (3%).

Respondents are based in various regions: Western Europe (31%), North America (28%), Asia Pacific (18%), Latin America (12%), Eastern Europe (5%), Africa (4%), and Middle East (3%).

Cyber Security Top Trends & Cyber Attack Threats

Two-thirds of executives consider cybercrime their most significant threat in the coming year. Cybercriminals, increasingly using off-the-shelf tools, can perpetrate and orchestrate a variety of attacks.

  • Fewer than 40% of senior executives say they have fully mitigated the risks their bold moves incurred.
  • By their own assessments, CISOs see the need to advance further on five cyber capabilities: identify, detect, protect, respond, recover. 
  • Senior execs see heightened threats to their organisation and worry they’re not fully prepared to address them.
  • In 2023, these challenges loom: mandated disclosures, tests of resilience, and pressure to get data security and privacy right.

Cloud security tops cyber threats

Cloud security tops cyber threats

Cloud Data Security related threats top the list of cyber security concerns that senior executives say will have a significant impact on their organisations in 2023, according to Ransomware Attacks & Cyber Insurance survey.

Ransomware and business email compromise attacks increases too

According to Cyber Security, Insurance & Cyber Business Intelligence Review, 33% of senior executives also say they expect attacks against cloud management interfaces to increase significantly in 2023, while 20% say they expect attacks on Industrial Internet of Things (IIoT) and operational technology (OT) to significantly increase in the next 12 months.

Some 39% of senior executives say they expect cloud-based threat vectors to significantly affect their organisation in 2023 compared to 2022 – more so than cyber threats from other sources such as laptop/desktop endpoints, web applications and software supply chain.

Long-standing and familiar cyber threats remain on the horizon in 2023, highlighting the challenge facing cyber security leaders – just over a quarter (27%) of organisations say they expect business email compromise and ‘hack and leak’ attacks to significantly increase in 2023, and 24% say they expect ransomware attacks to significantly increase (see 5 Most Important Cybersecurity Controls & Cyber Liability Insurance).

The good news for CISOs charged with addressing and mitigating these risks is that cyber security budgets will rise for many in 2023, with 59% of respondents saying they expect their budgets to increase.

  • 38% expect more serious attacks via the cloud in 2023
  • 29% of large organisations expect an increase in OT attacks
  • 45% of security and IT execs expect further rise in ransomware attacks

How secure is your digital transformation?

Cyber Security Top Trends & Cyber Attack Threats

In part the increase in cloud-based threats is a result of some of the potential cyber risks associated with digital transformation (see Cybersecurity Automation Adoption).

An overwhelming majority – 90% – of senior executives in our survey ranked the increased exposure to cyber risk due to accelerating digital transformation as the biggest cyber security challenge their organisation has experienced since 2020.

These digital transformation efforts – which include initiatives such as migration to cloud, moving to ecommerce and digital service delivery methods, the use of digital currencies and the convergence of IT and operational technology – are critical to future-proofing the business, unlocking value and creating sustainable growth.

Yet around two-thirds of senior executives say they have not fully mitigated the cyber risks associated with digital transformation:

  • 64% have not fully mitigated the risks of cloud adoption
  • 68% have not fully mitigated the risks of increased digitisation of delivery mechanisms to customers
  • 64% have not fully mitigated the risks of increased digitisation of the supply chain

This is despite the potential costs and reputational damage of a cyber attack or data breach, with just over a quarter (27%) of global CFOs in our survey saying they have experienced a data breach in the past three years that cost their organisation more than $1 million.

Cyber attack is biggest organisational risk scenario

Cyber attack is biggest organisational risk scenario

Survey shows that the C-Suite is becoming more aware of how these complex cyber threats and the potentially damaging impact of them can pose a major risk to wider organisational resilience.

Awareness of cyber risk to organisational resilience grows

Just under half (48%) of UK organisations say a “catastrophic cyber attack” is the top risk scenario – ahead of global recession (45%) and resurgence of COVID-19 (43%) – that they are formally incorporating into their organisational resilience plans in 2023.

That echoes the findings of our annual CEO PwC’s Survey, where almost two-thirds (64%) of UK CEOs said they are extremely or very concerned about cyber attacks impacting their ability to sell products and services.

5 scenarios formally incorporated into organisation’s resilience plans (Ranked index)

1stA catastrophic cyber attack
2ndGlobal recession
3rdA resurgence of COVID-19 or a new health crisis
4thInflationary environment
5thCredit crunch / significantly reduced access to capital
Source: PwC

And while business leaders are understandably focused on the immediate threats of inflation, macroeconomic volatility and geopolitical conflict in the next 12 months, cyber security rises to the top of the list when they take a longer term view.

25% of CEOs say they believe their business is extremely exposed or highly exposed to cyber risks over the next five years – ahead of inflation, macroeconomic volatility, climate change and geopolitical conflict.

Yet there is more work required to go beyond focusing on just high priority critical systems for cyber resilience (see How to Make Cyber Security an Part of the Business Culture?).

43% UK senior executives still focus on isolated risk scenarios and how to address recovery for that specific disruption, instead of a more effective approach that includes a broad understanding of risk the organisation faces and how to continue operations across simultaneous risks.

Current cyber resilience approach and capability

Cyber attack is biggest organisational risk scenario
Source: PwC

And 50% of senior executives also say they react to a disruption by invoking plans after an incident and focusing on recovery of business operations after a failure or incident, instead of taking a preventative and anticipatory approach that assumes incidents will occur, and embedding resilience capabilities to withstand disruption.

47% say they formally coordinate and integrate business continuity, disaster recovery, crisis management, incident preparedness and response, and threat intelligence.

The reality is that the cyber threats facing private businesses are no different from any other type of organisation. Cyber criminals are essentially opportunistic and will look to attack wherever they see vulnerabilities.

Recent research indicates that 45% of respondents from privately-owned businesses rated cyberattacks as the top threat to their organisation’s growth.

Cybercrime has catastrophic consequences in today’s corporate environment, including revenue and profit loss, brand ruin, erosion of consumer loyalty, competitive disadvantages, and, among other things, crippling lawsuits.

However, private businesses have some distinctive characteristics that create specific cyber security risks and which need to be addressed.

People and technology hold the key to cyber security transformation

People and technology hold the key to cyber security transformation

Digital and physical security are becoming indivisible and everything we do online has consequences in the real world. From critical business systems to social events, virtually every aspect of work and life is exposed to the all-seeing gaze of the internet – and thereby to cybercriminals. And when they come knocking, private businesses need to be ready.

Things have been tough recently in the cyber insurance industry. Businesses have a difficult time finding affordable policies with the right limits that don’t exclude ransomware (see Top Cybercrime Predictions).

3 critical factors for success

  • Leadership. Stronger leadership that drives cyber security throughout the organisation is the number one factor that will make the most difference to transforming cyber security in the next 12-18 months. This means the Board, CEO and other C-Suite executives speaking out about their commitment to cyber, and using their influence to drive sweeping changes and remove organisational barriers to C-Suite coordination.
  • Data analytics capabilities. Stronger data analytics capabilities on cyber and privacy activities are the second most important factor critical to successful cyber security transformation. From using advanced analytics and AI to improve threat detection to identifying risk in supply chains and misconfigurations across cloud environments, data capabilities are key to making smarter cyber funding decisions with business goals and top risks in mind.
  • Employee cyber security awareness. Investing in both people and technology is key to bolstering cyber security defences and enabling the secure digital transformation necessary to innovate and create growth. In Survey just under half (46%) of business leaders say they are planning on increasing the human-led technology capabilities of teams in risk, while 40% also plan to increase their use of technology. And organisations must look to widen their cyber talent search beyond certifications and tech degrees. Senior executives also say successful cyber security transformation depends upon having a cyber-savvy workforce where all non-cyber security employees understand the potential implications of their actions.

Cybercrime has catastrophic consequences in today’s corporate environment, including revenue and profit loss, brand ruin, erosion of consumer loyalty, competitive disadvantages, and, among other things, crippling lawsuits.

Following recent cyber attacks, organizations worldwide are beginning to see the crucial need for lifesaving protections that warn when risk is there. They understand that they need “risk sensors” to prevent dangerous scenarios from occurring and prevent inevitable cybercrime from becoming tragic when it appears (see Cybersecurity and the Cyber Insurance Market).

Resolute CEOs double down on talent, technology and transformation

Whatever short-term cuts and caution CEOs have planned they cannot rein in investments in talent and technology. They’re doubling down on those because the need to transform their business for long-term growth is inescapable.

Zero-trust cybersecurity strategy with simplicity and risk reduction at the heart is mandatory to reduce exponential cyber attacks in 2023.

But at the same time, vital skills are in short supply and tech investments carry risk if made without the right human insight.

So CEOs must get creative and explore combinations of acquisition and collaboration, alongside investments in upskilling, recruitment and retention to deliver the tech-powered change they need at the speed they need it to happen.

Partnering and acquisition will help bridge gaps

Cyber Security Top Trends & Cyber Attack Threats

These findings highlight the extent to which the pace of change affecting all organisations means significant interventions are essential for long-term viability and growth – from accelerating digital transformations, to building greater supply chain resilience and creating business models that are both environmentally and financially sustainable.

Among CEOs investing in technology, the majority are doing so with an emphasis on reinventing, rather than just maintaining, their current business (61% compared to 39%).

While some layoffs are planned as part of wider cost-cutting measures there is a far more significant focus among CEOs on boosting theirteam’s ability todrive long-term growth and transformation.They are doing thisthrough increased investment in recruitment, upskilling and the retention of in-demand skills. Just 16% of CEOs say their organisation has made or is making layoffs, while 59% have no intention of making layoffs.

Investments in technology are also being prioritised, including artificial intelligence (AI), cloud and data and analytics.

And such investments can play a vital role in helping organisations deal with immediate challenges and deliver long term value.

Automation, AI and Cloud are the focus of tech investments

Cyber Security Top Trends & Cyber Attack Threats

Given the importance of such digital transformations, CEOs remain acutely aware of the risks posed by cyber security threats, ranking them as the threat they feel most exposed to over the next five years.

And as CEOs commit to investments in technology there is a focus on striking the right balance of skills and understanding across their workforce. Increasing that understanding can help mitigate risk and ensure organisations get the greatest returns on investment in technology.

Where are CEOs investing in technology and talent?

Cyber Security Top Trends & Cyber Attack Threats
Source: PwC

Marketing is an example of one area where there is a significant commitment to transforming both technology use and skills within the function. The need to adapt offerings, understand changing customer demands and keep selling in the short term creates an essential role for marketing.

But the opportunity to make marketing a more strategic driver of long term growth and brand value is indicative of the balancing act businesses are striking and the requirement for a combination of skills and technologies.

……………………..

AUTHORS: Richard Horne – Cyber Security Chair, Risk & Quality Partner PwC UK, Bobbie Ramsden-Knowles – PwC UK Partner & Co-Lead PwC Global Centre for Crisis and Resilience, Sean Joyce – Global Cybersecurity & Privacy Leader, US Cyber, Risk and Regulatory Leader, PwC US

You May Also Like