Home Vulnerabilities Cyber investments are growing, but not enough

Cyber investments are growing, but not enough

64% of respondents to PwC’s latest CEO survey expect a jump in reportable ransomware and software supply chain incidents this year, and only 55% are prepared to respond.


Image: Teera Konakan/Moment/Getty Images

Cyber threats, especially ransomware, are now the No. 1 concern of CEOs in the U.S. and the No. 2 globally, according to PwC’s 24th annual CEO survey. CEOs are doing more than fret—they are putting their money where their mouths are, the survey said.

In the next year, 57% of respondents are making “significant investments” in tech, 52% in people and 50% in governance and process. By contrast, 22% are making “adequate” investments in tech, 28% in governance and process and 27% in people, according to the report.

Cybersecurity study: SolarWinds attack cost affected companies an average of $12 million


This is not adequate, the PwC report said. “Cybersecurity transformations are either lagging behind digitization or merely keeping pace at most (63%) of companies. Neither is good enough, not at a time when the hits are coming fast and hard and show no sign of stopping,” the report said.

What it means to be cyber-ready

Investments, CEO and board attention and forward-looking CISOs make for a cyber-ready organization, according to the report. Organizations should be able to say two things: That they have secured their organization’s infrastructure, and that “when the inevitable breach happens, your stakeholders can trust your organization to respond quickly and protect their interests.”

Staying “on pace” with business transformations isn’t enough to make that commitment happen, the report said.

CEOs believe incidents are inevitable

The survey revealed that 64% of respondents expect a jump in reportable ransomware and software supply chain incidents in the second half of 2021.

“As companies rushed to adapt to pandemic-inspired changes in work and business models, many seem to have left security behind,” the report stated. “Half or more of the CISOs and CIOs in our survey say they haven’t fully mitigated the risks associated with remote work (50%), digitization (53%) or cloud adoption (54%).

At least half of respondent organizations reported getting hit by malware via software update (54%), attacks on software supply chain (51%) and business email compromise (50%).

Only 55% of respondents or fewer of victims said they were “well prepared” to address breaches.

“Software supply chain is now getting CEO and board attention,” the report said. “Companies run on code developed in-house, taken from open source and/or bought from tech vendors—in an ecosystem that runs on trust.”

CEOs and CISOs believe ransomware is where they will see the biggest jump in reportable incidents. Ransomware demands and payments are on the rise, the survey revealed. In the U.S., Canada and Europe, the highest ransom payment doubled to $10 million in 2020, a record that was toppled in March 2021 with news of a $40 million payment, the report said.

What’s coming

Mobile, IoT technologies and cloud are expected to be the fastest-growing threat vectors. Some 29% of CISOs and CIOs said they expect coordinated, organized nation-state attacks to surge this year, according to the report.

Cybercriminals edge out nation-states as the top threat actors among 31% of respondents, the report said.

There is some good news–PwC said more enterprises are taking “critical steps” than ever before to prepare their security organizations for future scenarios.

Further, 81% of respondents who quantify cyber risk said it helped increase productivity and focus on strategic matters. Quantification is useful for prioritizing risks and making the case to the board for cyber spending, and it got especially high marks in the energy, utilities and resources and retail/consumer sectors.

Additionally, CISOs and CIOs across all industries are prioritizing cloud security for cyber investments over the next two years, the report said.

Around half of the respondent organizations have also restructured their security teams and embedded them in product development and business teams, according to the PwC survey. Another 44% said they plan to do so this year and next.

“Successful CISOs now act as business enablers,” the report said. “They’re no longer saying ‘We can’t do it,’ but rather are asking, ‘How can we do it.'”

What organizations should do

PwC is recommending that organizations sharpen their threat modeling capabilities. “Effect threat modeling doesn’t happen just once, and it shouldn’t focus only on known methods of attack,” the report said. It requires “creativity and imagination.”

The firm also recommends that organizations assess their cyber risks early and often. They should also work on their resilience playbook with business units, developers and risk managers.

Further, organizations should review how they budget and modernize their budgeting process. “Cyber is finally getting its due. Companies are investing more and the C-suite is paying attention. But the expectations – and potential for disappointment – are high.”

Another important takeaway is to “make it your business to demystify cyber. Help those around you become cyber-savvy.” This includes speaking the language of the business and finding creative ways to explain complex cyber issues, the report said.

Also see

Source link


New infosec products of the week: July 23, 2021

Stellar Cyber XDR Kill Chain allows security analyst teams to disrupt cyberattacks Stellar Cyber introduced a...

Kaseya Gets Universal Decryptor to Help REvil Ransomware Victims

Nearly three weeks after Florida-based software vendor Kaseya was hit by a widespread supply-chain ransomware attack, the company on Thursday said it obtained...

Kaseya obtains REvil decryptor, starts sharing it with afflicted customers • The Register

Software-for-services providers business Kaseya has obtained a "universal decryptor key" for the REvil ransomware and is delivering it to clients. A brief Thursday update...

Most Popular

‘Critical Severity’ Warning for Malware Embedded in Popular JavaScript Library

Security responders are scrambling this weekend to assess the damage from crypto-mining malware embedded in an npm package (JavaScript library) that counts close...

Popular NPM Package Hijacked to Publish Crypto-mining Malware

The U.S. Cybersecurity and Infrastructure Security Agency on Friday warned of crypto-mining malware embedded in "UAParser.js," a popular JavaScript NPM library with over...

Cisco Talos Intelligence Group – Comprehensive Threat Intelligence: Threat Roundup for October 15 to October 22

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 15 and Oct. 22. As with previous roundups, this post...

Recent Comments