ALMOST TWO-thirds (ie 66%) of UK business leaders expect the threat from cyber criminals to increase over the next 12 months. That’s according to the latest PwC cyber security survey of business and technology executives. The findings reinforce the concerns of UK businesses about different cyber threats, as well as the potential vulnerability of their supply chains.
Over the past year, a number of prominent ransomware attacks have caused a significant impact on organisations already dealing with the challenges posed by the COVID-19 pandemic. There’s also now the added threat of Ransomware-as-a-Service in which ransomware developers lease out their malware in exchange for a share of the criminal profits. PwC’s research has discovered that 61% of UK respondents expect to see an increase in reportable ransomware incidents during the course of 2022.
The expectation of an increase in ransomware attacks reflects UK businesses’ concern about a broader increase over the next 12 months in cyber threats, including business e-mail compromise (61%) and malware being introduced via software updates (63%).
Bobbie Ramsden-Knowles, crisis and resilience partner at PwC UK, noted: “It’s impossible to ignore the threat from ransomware attacks as criminal groups become more brazen and scale their operations through Ransomware-as-a-Service and the use of affiliate criminal groups. At PwC, our threat intelligence team has already tracked more ransomware incidents globally, up to September 2021, than in the whole of 2020.”
Ramsden-Knowles continued: “Ransomware has the potential to rapidly disrupt an organisation’s entire business, both across geographies and functions. For organisations without a framework for managing enterprise-wide crises there’s an acute need to develop and embed one in order to be able to respond to this type of disruptive event in a co-ordinated way.”
Further, he observed: “Whereas other types of crises may be perceived as ‘black swan’ events that cannot be predicted, ransomware attacks have become so widespread that we’ve seen a common set of challenges and decisions that all organisations would face. Developing – and aligning – ransomware playbooks for executive crisis teams and operational responders is a ‘no regrets’ move. Testing these through ‘war games’ and planned exercises can reduce uncertainty, build confidence in the ability to respond and help prioritise the focus on preventative measures.”
Simplifying cyber security
The increased complexity of some organisations’ operations due to growth, mergers and acquisitions, or otherwise the rapid adoption of new technologies, has made them more difficult to properly secure. In fact, 86% of UK respondents said that complexity in their organisation creates “concerning” levels of risk.
This concern is primarily caused by a network of multi-vendor environments. Notably, 64% of UK respondents expect a jump in attacks on their cloud services over the next year. However, only 41% profess to have an understanding of cloud risks based on formal assessments.
Similarly, 63% of respondents say their organisations expect a rise in breaches via their software supply chain, yet only 42% have formally assessed their enterprise’s exposure to this risk.
Richard Horne, cyber security chair at PwC UK, explained: “Even when their own cyber defences are solid, organisations can be vulnerable to an attack through their suppliers. A sophisticated cyber criminal will always search for the weakest link. It’s essential for each business leader to fully understand and manage their organisation’s web of third party relationships. However, our research shows that fewer than half of UK respondents say they’ve responded to the escalating threats that complex business ecosystems pose.”
Budgets set to rise
Almost two-thirds of UK organisations (ie 63%) are increasing their cyber security budgets over the coming year. This compares to 56% in last year’s survey. Further, nearly a quarter of organisations (24%) plan to increase their cyber security spend by 10% or more.
On this matter, Richard Horne said: “As cyber security budgets increase, organisations are faced with the challenge of ensuring they derive the best return on their investment. Our research found that few organisations are confident they’re reaping the rewards from increased spending. For example, while 37% of UK respondents stated that they had implemented cloud security at scale, just 18% are fully realising the benefits of their investment. The remainder are either not investing in this area or haven’t yet implemented it at scale.”
Horne concluded: “To overcome this challenge and build greater confidence in their security investments, organisations must improve their cyber risk modelling and analysis. This ensures increases in cyber budgets are allocated to priority risks and helps in building long-term resilience.”
*The 2022 Global Digital Trust Insights Survey is based on PwC’s survey of 3,600 business and technology executives from around the world, including 257 in the UK. To find out more about the UK cohort and the responses received visit https://www.pwc.co.uk/issues/cyber-security-services/insights/cyber-security-strategy.html