Consumers don’t know who to trust with their personal data. According to PwC’s latest Consumer Intelligence Series survey, Protect.me, only 25 percent of respondents believe companies will handle their sensitive data responsibly, and just 17 percent trust the government to protect their data. At the same time, 69 percent of consumers believe companies are vulnerable to hacks and cyber-attacks, and 85 percent report that they will not do business with a company if they have concerns about its data security practices. Whether or not consumers follow through on this promise, the survey results paint a grim picture of the current state of their confidence about cybersecurity.
However, Protect.me — which surveyed 2,000 U.S. consumers — also revealed some positive news: an opportunity for companies that take action. Seventy-two percent of respondents believe businesses, not government, are best equipped to protect their data, and 81 percent prefer that companies take responsibility for protecting their data versus the government. Of course, government regulation will certainly play a role (and 82 percent of respondents said government should regulate companies’ use of data). We’ve already seen this in the financial-services and healthcare industries, which our study found consumers trust the most. But it’s clear that consumers have high expectations of companies when it comes to data security, and those companies that deliver can build trust while protecting their own interests.
Many companies have a long way to go. PwC’s 2018 Global State of Information Security Survey (GSISS), which gathered insight from 9,500 executives in 122 countries, found that 44 percent of respondents say they do not have an overall information security strategy. Slightly more (48 percent) say they do not have a security-awareness training program for employees, and 54 percent say they do not have an incident-response process in place. Given their mandate from consumers, companies should take the following steps now to build up their resilience to withstand cyber-attacks.
Illustration by LEJEANVRE Philippe / Alamy
1. Engage senior leaders — all the way to the board. Only 44 percent of GSISS respondents say their corporate boards actively participate in their companies’ security strategy. This could be because some firms tend to view cybersecurity as solely an IT problem. But anecdotal evidence suggests that when boards are involved in cybersecurity strategy, senior management is more likely to perceive it as a priority. Board participation elevates cyber risk beyond the day-to-day concerns of the IT function to become a part of the company’s overall strategic planning. It’s a level of importance commensurate with the level of risk associated with a major breach.
Companies can further prioritize cybersecurity by making sure the C-suite is involved in a review of the company’s information security strategy and budget. This includes gaining a clear understanding of what’s at stake in the event that certain systems or data are compromised — and ensuring plans are in place to mitigate the most pressing risks. The good news is the GSISS found companies are starting to elevate the role of chief information security officer (CISO) beyond IT: Respondents report it is more common for a company’s CISO to report directly to the CEO (40 percent) or the board of directors (27 percent) than to the CIO.
2. Assess network interdependency. Companies must take a careful look at the various networks on which their own network depends. This includes everything from the public power grid to the third-party or cloud-based networks on which their proprietary data may reside in the short or long term. Vulnerabilities may lie several layers removed from the networks that companies own. But just as we don’t think about our reliance on electricity until there’s an outage, interdependencies between networks tend to go unnoticed until catastrophe strikes.
For example, when cyber-attacks occur, many companies say they cannot clearly pinpoint the culprits. Only 39 percent of GSISS respondents say they are very confident in their ability to determine where an attack originated. To address this gap, company leaders need to stress-test interdependencies with simulated cyber-attack scenarios. It’s also important for companies to examine emerging technologies that may take advantage of networked systems, such as the Internet of Things (IoT). Yet relatively few GSISS respondents say their organizations plan to assess IoT risks across the business ecosystem. The ownership of responsibility for IoT security varies depending on organization — 29 percent say the duty belongs to the CISO, while others point to the engineering (20 percent) or the chief risk officer (17 percent).
3. Focus on data manipulation and destruction. As cyber-attackers grow more sophisticated, the priorities of corporate cybersecurity have to continuously adapt. It used to be that companies worried primarily about preventing their data from being stolen. But increasingly, they also need to be aware of how hackers can use a company’s own IT systems and architecture against the firm or society at large. These attackers’ primary goal may not be financial gain alone — stealing credit card numbers — but may also involve manipulating data to cause harm to the company or individuals. If attackers gained access to and modified a hospital’s medical records, for example, or an air traffic control system, they could inflict significant damage and even put human life at risk.
Organizations need to take an inside-out approach to cybersecurity assessments, looking for areas of weakness and making it a priority to safeguard systems that must be impervious to attacks to protect human life and safety. Companies should undertake scenario planning to “think the unthinkable” and run simulations to ensure that their firm is ready to withstand such attacks. They also need to be ready to respond immediately if a breach should occur. The Sheltered Harbor initiative in the financial sector could offer a model for other industries in how to deal with these emerging risks of data destruction. This effort has developed standards to help banks recover and restore account data in the event of a major cyber-attack.
A cyber threat will always be a moving target. Companies that begin with these three steps can develop the capability to better understand cyber threats as they evolve and cultivate an environment in which developing resilience against such threats is a top priority, owned by company leaders. This resilience can protect your company from the financial, reputational, and legal havoc caused by a major cyber-attack. Your customers are watching.
“How Companies Can Respond to Consumers’ Demands for Better Data Protection” © 2017 PwC. All rights reserved. No reproduction is permitted in whole or part without written permission of PwC.