Globally, CEOs see cyber threats as the greatest threat to the stability and success of their organisations. This is evident from PwC's 24th CEO Survey. This outcome doesn't surprise me, and I'm really glad that cyber crime is at the top of CEOs' list of concerns. In fact, I've been thinking for years that the next systemic crisis could well be a cyber crisis. COVID-19 has now intervened, but I can well imagine that the next major crisis will once again have no economic trigger.
This is not to say that businesses and their CEOs underestimate digital developments. On the contrary, the CEO Survey shows that CEOs recognise the dangers and realise that they need to take action. But I think many CEOs have lost track of the ongoing rapid technological innovations and don't know exactly how to respond to protect their organisations.
There is a great need for qualified staff in this field in many organisations. Specialists who understand how cyber criminals work, who can look beyond silos within the organisation and who can detect and combat cyber attacks using innovative technology and tools. It's good to note that CEOs are listing the availability of key skills as second on the list of concerns and threats to their organisations. That's something I definitely agree with.
Unfortunately, the number of people with the desired skills is currently limited. And those who do have these skills often work at large challenging platforms like Google and Amazon and not in the risk departments of, say, banks or energy companies. In terms of upskilling, there’s still a lot to be done. In the meantime, cyber criminals are not sitting back and waiting.
The COVID-19 crisis and forced working from home are not helping to improve the cyber security of organisations and at the same time the risk has increased. Managers are losing sight of their staff to some extent and the bond between employees and the business for which they are working is becoming weaker. This can increase the likelihood of errors and involvement in fraud or even cyber attacks.
These are potentially ingredients for a dangerous cocktail, which I believe could lead to a major cyber crisis. I'm not just talking about cyber criminals stealing your savings, but also about shutting down financial payment systems or deliberately disabling energy company facilities. Businesses and institutions are currently insufficiently protected against such a threat.
With this in mind, I recommend that CEOs do the following:
Investments seem the obvious choice, but all too often I see that only the essentials are chosen. At some banks, for example, there are a hundred people working on credit risk and only a handful on cyber risk. And they have to take on gangs of cyber criminals who do nothing but hack all day long. Bearing in mind the pressure to cut costs, investing means making choices. Don't be afraid to reconsider the fundamental principles of risk management so you can keep up with new cyber and technology risks.
As well as recruiting new staff with backgrounds in coding, IT architecture, cyber crime and psychology, it is important that you upskill or retrain your current staff in terms of ‘hard’ technical skills and expertise. But also to ensure that they develop a different mindset, so that you can do more in the way of future-proof risk management. The present times call for people who can deal with complexity and uncertainty. People who understand the entire value chain of a business and can properly respond to incidents and possible attacks.
It is not only important that your own systems are properly secured, but also those of your suppliers and the businesses with which you collaborate. Hackers are increasingly trying to break into large companies using this detour. Get to know the ecosystem in which you operate and work only with organisations whose security is up to standard.
The increasing use of technology poses a threat to corporate culture. Prior to the COVID-19 crisis, it was already clear that organisations must do better to maintain the human dimension. The pandemic, working from home and the growing emotional distance between organisations and their employees once again emphasise this need. Especially in times like these, it is vital to maintain a good cyber security culture. Continue to encourage and increase your staff's awareness of cyber risks.
The Covid-19 crisis is spurring CEOs to accelerate their digital transformation. No fewer than 76 percent of respondents said they would increase investment in digital transformation over the next three years, with 48 per cent planning to do so substantially more.
At the same time, they are concerned about the risks of the digital world. This is reflected in risk management. When asked which threats are explicitly included in risk management, cyber threats were mentioned most often.