PwC: UK businesses still fail to take on cyber security

19 November 2015

Information security remains a key challenge for businesses around the world, as adversaries become more and more sophisticated. The cost to reputation and the bottom line can be considerable, with an average incident costing £1.7 million. In response, more and more organisations now have a cyber security risk framework – with many also turning to cloud-based, analytics based and collaboration based protections, research by PwC shows. Board level participation in cyber security planning is also up, as more and more organisations realise the considerable costs that come from a lack of vigilance.

Threats to information technology systems continue to escalate across the globe, particularly in terms of frequency, severity and impact, as more and more devices come online. Even while the number of threatened systems increases, and the level of sophistication of adversaries improves as they hone their understanding of systems and people, the defenders too are improving their capacities. Detection methods and innovation to bolster front line cyber security systems are on the rise globally, with executives seeking ways in which to mitigate risks to their businesses.

Executive location

PwC recently released the ‘Turnaround and transformation in cyber security’ summary of its yearly ‘The Global State of Information Security Survey 2016’. The report considers changes to the cyber security landscape, as well as which new innovations and frameworks executives are looking towards to improve security and mitigate enterprise risk. The survey involved responses from more than 10,000 executives including CEOs, CFOs, CISOs, CIOs, CSOs, Vice-Presidents, and Directors of IT and information security. The survey spanned the world, 37% of respondents came from North America, 30% from Europe, 16% from Asia Pacific, 14% from South American and 3% from the Middle East and Africa.

Aggressive cyber attacks
The report finds that the sophistication and boldness of cyber-adversaries is on the increase around the globe. The UK in particular has a large number of organisations that lack oversight into their own systems. One in ten (10%) UK companies does not know how many cyber security attacks they have had this year and 14% do not know how they happened. The biggest cause for concern remains current employees accounting for 34% of incidents, former employees for 29% and current service providers / consultants  / contractors for 22%.

Benefits of cyber security framework

Many organisations simply lack the skills and tools required to combat infiltrators. Things are improving however, and, since last year, the number of detected security incidents is up 38%. The increased detection is in part because 91% of organisations have now adopted a cyber security framework based on risk. This framework allows them to better identify channels through which adversaries act and thereby detect their activity. According to 49% of respondents, their cyber security framework is better able to identify & prioritise security risk, while 47% responded that a framework allows them to quickly detect & mitigate security incidents.

Data-driven cyber security
One development has been a more towards cloud based and data driven cyber security. Cloud based security offers a means to enable improved intelligence gathering, threat modelling, defence against attacks and incident response. The benefits of the technology have seen considerable investment in private cloud in recent years, and 69% of respondents say that they use the technology as part of their wider strategy.

Benefits of data-driven cyber security

Big-data, while providing a means to understand action, is often a considerable liability, as personally identifiable information is often present in large databases. The report highlights however, that big data analytics – used to traverse the data – also provides a means to improve cyber security. 59% of respondents say that they using data-powered analytics to enhance security by shifting security away from perimeter-based defences and helping organisations to put real-time information to use in ways that create real value.

There are a number of benefits to a data-driven cyber security approach according to respondents. Two in thee (61%) say that it provides a better understanding of external threats, 49% say that it improves an understanding of internal threats, while 39% feel that it improves an organisations ability to quickly identify and respond to security incidents.

Benefits of external collaboration

External collaboration
One further form in which organisations are seeking to limit their exposure is through collaboration with others to improve security, something 65% of organisations are engaged in. According to the respondents, benefits include improved defence through shared and received information from industry peers (56%), shared and received information from ISACs (46%), and improved threat intelligence and awareness (42%).

Board participation in information security

Board participation
The participation at board level in cyber security matters has been steadily increasing in recent years, with incidents often leaving behind a broad swath of operational, reputational and financial damages, damages boards are seeking to proactively mitigate. Boards are now considerably more engaged in providing a cyber security budget, up from 40% to 46%, developing overall security strategies, up from 42% to 45%. As well as driving security policies and security technologies, at 41% and 37% respectively.

Commenting on the results, Richard Horne, PwC Cyber Security Partner, says: “In our digitally-interconnected world, businesses cannot stand still. They need to prepare and continually test their defences – and respond to breaches – in the face of incredibly sophisticated attacks. This requires commitment and leadership from the very top of an organisation to prevent breaches, but also to detect and respond to them rapidly and in the right way when they happen.”

According to a recent study by EY, if organisations want to come through the cyber war unscathed, it is key they build an active cyber-defense stance, as opposed to the traditional reactive strategy.