Global 2022 Digital Trust Insight Survey: Companies may be overlooking the riskiest cyberthreats of all

The majority of companies globally and in Ireland don't fully comprehend the cyber-risk that exists within their third parties – these are the risks brought about by the complexity of their business relationships including sales, supplier or technology support networks. This is the key finding of the PwC 2022 Global Digital Trust Insights Survey. The survey of 3,600 CEOs globally, including Ireland, found that only 38% of Irish respondents had a 'high' understanding of the risk of data breaches through third parties (Global: 41%). A further 24% had little or no understanding at all of these risks (Global: 20%).

The survey reveals that less than a third (29%) of Irish respondents have made 'significant progress' in minimising financial losses to cyber disruptions (Global: 40%). At the same time, less than half (40%) are 'very confident' about the cybersecurity stance of their organisation. Globally, nearly seven out of ten (69%) of C-suite executive respondents said that they will increase their cyber budgets in 2022.

Cybercrime will continue to escalate

The findings are a red flag in an environment where 62% of the Irish C-suite respondents anticipate an increase in cybercrime in 2022 (Global: 60%). A similar proportion (62%) expect an increase in ransomware attacks while 56% expect increases in malware. They also reflect the challenges organisations face in building trust in their data -- making sure it is accurate, verified and secure, so customers and other stakeholders can trust that their information will be protected.

Notably, 59% of Irish respondents say that their organisations expect a rise in breaches via their software supply chain, yet only 32% have a high understanding of the cyber exposures arising from these third-party supply chains. Similarly, 62% of Irish respondents expect a jump in attacks on their cloud services, but only 29% profess to have an understanding of cloud risks based on formal assessments. Global counterparts have a greater understanding of these cloud risks (37%).

Pat Moran, PwC Ireland Cybersecurity Leader, commented: "Organisations can be vulnerable to an attack even when their own cyber defenses are good; a sophisticated attacker searches for the weakest link - sometimes through the organisation's suppliers networks. Gaining visibility and managing your organisation's web of third-party relationships and dependencies is a must. Yet, in our experience, fewer businesses than we would like are responding to the escalating threats that complex business models pose."

Asked how their companies are minimising third-party risks, the most common answers in Ireland (similar to global responses) are: 41% are auditing or verifying their suppliers' compliance; 44% are sharing information with third parties or helping them in some other way to improve their cyber stance and (38%) are addressing cost or time-related challenges to cyber resilience.

But there is more action to take: 71% of Irish respondents admit to not increasing the rigor of their due diligence compared to 62% for global counterparts. 59% failed to identify third-party threats before they procured this service (Global: 58%).

Simplifying the way to cybersecurity

A large majority of Irish respondents confirmed that the complexity of their organisation poses "concerning" cyber and privacy risks. Data governance (76%), cloud environment (72%) and data infrastructure (62%) ranked highest among areas of unnecessary and avoidable complexity.

Will O'Brien, PwC Ireland Cybersecurity Director, commented: "Simplification can be a challenge, but there is ample evidence to suggest that it is worthwhile for organisations in terms of improved cyber outcomes. While around one in two (50%) Irish respondents said that their organisations had streamlined certain operations over the past two years (compared to a third for global companies), the 'most improved' cyber outcomes in our survey (the top 10%) were five times more likely to have streamlined operations enterprise-wide. These top 10% organisations are also 10 times more likely to have implemented formal data trust practices and 11 times more likely to have a high level of understanding of third-party cyber and privacy risks."

CEO engagement can make a difference

Executive and CEO respondents differ on how much support the CEO provides on cyber, with CEOs seeing themselves as more involved in, and supportive of, setting and achieving cyber goals than their teams do. But there is no disagreement that proactive CEO engagement in setting and achieving cyber goals makes a difference. Executives in the "most improved" group, reporting the most progress in cybersecurity outcomes, were 12 times more likely to have broad and deep support on cyber from their CEOs. Most executives also believe that educating CEOs and Boards so they can better fulfill their cyber responsibilities is the most important act for realising a more secure digital society by 2030.

Pat Moran concluded: "The survey confirms that the most advanced organisations see cybersecurity as more than defense and controls, but as a means to sustain their reputation and brand loyalty and build trust with their customers. As leaders of organisations, CEOs set the tone for focusing their cybersecurity teams on bigger-picture, growth-related objectives rather than narrower, short-term expectations."