Organisations have become more vulnerable to cyberattacks due to increasing digitalisation. However, in PwC’s survey Digital Trust Insights only about thirty percent of the respondents across Western Europe state they have fully mitigated the risks in a number of critical areas. In the Netherlands, this percentage is even lower, with only twenty percent of the respondents agreeing with that statement. Dutch organisations seem more uncertain than their Western European peers about the value of the efforts of their cybersecurity teams.
PwC's Digital Trust Insights is an annual global survey conducted by PwC on the cybersecurity challenges organisations face and the measures they are taking to improve in the near future. This year, some 3,500 senior executives and directors of organisations from 65 countries participated in the survey, of whom 1,088 in Western Europe and 37 in the Netherlands. In this study, we compare the Dutch outcomes with those of Western Europe.
PwC's cybersecurity expert Angeli Hoekstra carries as a possible explanation for the Dutch uncertainty whether cyberrisks are sufficiently mitigated that cybersecurity teams often struggle to demonstrate what they are achieving. ‘Communication about the value of cybersecurity is quite difficult, because they don't deliver a concrete product. Their success lies in what doesn't happen. Communication therefore can only be done in terms of what the residual risk is of cybercontrols not in place or not working effectively or what the risk reduction has been, preferably in quantifiable terms about the business exposure. Communicating this in business terms remains a challenge chief information security officers and cybersecurity professionals face.'
In Western Europe, about a third of respondents say the risks around enabling work from home have been fully addressed. In the Netherlands, only one-fifth do. We see this same picture in other risk areas. Hoekstra: ‘In general, I am surprised, whether in the Netherlands or elsewhere, that only a relatively small proportion of respondents say that risks in a multitude of areas have been fully mitigated. The difference between the Netherlands and the rest is very large. It is always difficult to assess how the answers are arrived at. In principle, it is possible that those who answer "fully mitigated" actually overestimate themselves. Possibly this also has to do with a difference in risk acceptance. Apart from that: of course, it never hurts to review all measures again to see if improvements are needed.'
A majority of Dutch respondents are satisfied with what their cybersecurity teams have accomplished over the past twelve months, but it is a narrow majority, especially when compared to the countries around us. Especially the ratings on improving the value and efficiency of cyber employees lag behind. Hoekstra: 'What strikes me is that the proportion of respondents answering "I don't know" is also relatively large. It is interesting that directors or top managers don't know what has been accomplished, so that confirms the idea that cyber security departments need to communicate better about what they do and achieve. And perhaps also about what they can achieve.'
In the Netherlands, a substantial percentage (27 percent) of respondents plan to increase the cybersecurity budget by six to ten per cent next year. However, in the Netherlands we also see that sixteen percent of the respondents intend to decrease the budget by the same percentage. In Western-Europe, we see that the group that indicates to increase the budget substantially is smaller, but so is the group that indicates to decrease it.
Another striking finding from the Digital Trust Insights is in the Dutch opinion on transforming organisations in the cyber domain. Dutch respondents favor simplifying their digital landscape (infrastructure and applications) as an impactful instrument to increase cybersecurity. This clearly differs from the European outcomes where this aspect comes in fourth place. The sharing of knowledge, so that employees who do not deal with cybersecurity on a daily basis also understand the risks, scores high in both the Netherlands and Western Europe.
Hoekstra does not find this surprising. 'Many organisations have to deal with a complicated cyberlandscape because different systems have been tied together from the past, on which new applications have subsequently been built. That makes implementing security solutions complicated. Moreover, in view of that legacy, organisations need a lot of different expertise. These findings also reveal that organisations experience a lack of talented cyber employees. Simplifying complex systems, it seems to me, makes that an obvious solution.’