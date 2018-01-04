04 Jan 2018 | 09.17 am

Most Irish businesses continue to ignore cyber security and are slow to invest in security measures, says a new report from financial services company PwC.

But they are not alone, according to the results of a survey of 9,500 executives across the globe, despite the significant media exposure garnered by the now almost commonplace cyber security breaches worldwide.

The PwC survey indicates that:

40% of survey respondents cite the disruption of operations as the biggest consequence of a cyberattack, followed by the compromise of sensitive data (39%), harm to product quality (32%), and harm to human life (22%)

44% of 9,500 executives in 122 countries, including Ireland, say they do not have an overall information security strategy

Nearly half (48%) do not have an employee security awareness training programme, and 54% don’t have an incident-response process

When cyberattacks occur, most victimised companies say they cannot clearly identify the culprits. Fewer than four out of ten (39%) say they are very confident in their threat identification capabilities

More work needs to be done in Europe to share intelligence to form a united frontier to fight cybercrime

More boards of directors need to ensure cybercrime is at the top of their agenda

The soaring production of insecure internet-of-things (IoT) devices is creating widespread cybersecurity vulnerabilities

Executives acknowledge the increasingly high stakes of cyber insecurity — 40% cite the disruption of operations as the biggest consequence of a cyberattack, 39% cite the compromise of sensitive data, 32% cite harm to product quality, and 22% cite harm to human life.

Yet, despite this awareness, many companies at risk of cyberattack remain unprepared to deal with them. Forty-four per cent say they do not have an overall information security strategy. Forty-eight per cent say they do not have an employee security awareness training programme, and 54% say they do not have an incident-response process.

Missed Message

PwC Ireland cyber-leader Pat Moran said: “The results from our 2018 report reflects a number of themes that we also see clearly emerging in the Irish marketplace. Despite cyber risk now being a significant threat to Irish businesses, organisations are still failing to get the message and are very slow to invest in the appropriate security measures.

“Most are ignoring areas such as cyber awareness and global standards, and focusing their limited resources in technology and infrastructure. While technology, particularly cloud-based, can support organisations to detect attacks and breaches, having people aware of the latest threats and being prepared to respond when incidents occur is key.

“Throughout the survey, we see a growing trend in the US where industries are collaborating with each other on the latest attacks, incidents and trends. However, Europe still has a long way to go to establish these communities to share intelligence and form a united frontier to fight cybercrime.”

Moran pointed out that tools used by attackers are proliferating on the internet, with state actors often the source: “The leaking of US National Security Agency (NSA) hacking tools has made highly sophisticated capabilities available to malicious hackers.”

With enormous disparities in preparedness around the world, and Ireland not ranking high in the league tables, PwC has some recommendations.

C-suites must lead the charge and boards must be engaged: Senior leaders driving the business must take ownership of building cyber resilience. Setting a top-down strategy to manage cyber and privacy risks across the enterprise is essential.

Pursue resilience as a path to rewards, not merely to avoid risk: Achieving greater risk resilience is a pathway to stronger, long-term economic performance.

Purposefully collaborate and leverage lessons learned: Industry and government leaders must work across organisational, sectoral and national borders to identify, map, and test cyber-dependency and interconnectivity risks as well as surge resilience and risk-management.

The financial company advises collaborating even with competitors to minimise cyber-risks and create robust defences, as is common in the US, for example.