Most of the world’s business leaders believe cyber threats will increase over the next year, with ransomware, commercial email compromise (BEC), cloud and supply chain attacks driving growth, according to the Global Digital Trust Survey Insights 2022 from PwC.
While a majority (69%) of respondents said they expect security budgets to increase in the next year, 60% predict that cybercrime will increase, while 53% say nation-state-backed attacks are also likely to increase. Mobile devices, internet of things (IoT) and cloud top the list of preferred targets. Cloud service attacks (22%) are expected to slightly outperform ransomware (21%) and cryptocurrency mining (21%) — the most likely to see significant increases. In addition, 56% expect an increase in breaches through their software supply chain, with 19% seeing significant increases.
Organizations know that risks are increasing. More than 50% expect an increase in incidents in the next year, above the levels of 2021, which is already considered to be one of the worst years on record for cybersecurity. More and more sophisticated attacks are being launched on systems and networks, looking to find vulnerabilities.
Whatever an organization’s digital Achilles heel — an unprotected server containing 50 million records, for example, or a flaw in the code that controls access to cryptographic wallets — attackers will use every means at their disposal, both traditional and ultra-sophisticated, to explore them. The consequences of an attack increase as the interdependencies of systems become increasingly complex. Critical infrastructure is especially vulnerable. And yet, many of the breaches we’re seeing are still preventable with solid cyber practices and strong controls.
The study highlights that as digital connections multiply, they form increasingly complex webs that become more intricate with each new technology. Having a smartphone means carrying a variety of “devices” in your pocket — phone, camera, calendar, TV, health tracker, an entire library of books, and more. But the processes required to manage and maintain all these connections — including cybersecurity — are also getting more complicated.
Is the business world now too complex to protect? Leaders are sounding the alarm. About 75% of respondents say too much unnecessary and avoidable organizational complexity poses “worrying” cyber and privacy risks.
According to the study, in an overly complex organization, it’s easy for “the left hand not to know what the right hand is doing,” and the consequences for cybersecurity and privacy can be dire. Seventy-five percent of C-suite respondents, including CISOs, say their companies are too complex, avoidable and unnecessary, and nearly the same percentage say that complexity poses “worrying” cyber and privacy risks for their organizations in 11 main areas.
Data seems to be the main cause for concern, especially among large companies — with revenues of $1 billion or more. Data governance (77%) and data infrastructure (77%) were ranked first among the areas of “unnecessary and avoidable” complexity. Technology devices and networks are also highly complex, particularly in large US companies and corporations.
Digital native companies — those that exist entirely online — tend to use the latest technologies, which are designed to connect and operate together. Most other companies’ technology architectures, which include legacy systems, are more complicated. Mergers with other organizations can multiply risks by connecting already complex networks and systems.
Those most concerned about all this complexity are CEOs. They assign a level ten complexity in seven of their organizations’ 11 areas. CEOs tend to be more concerned about the cyber and privacy risks arising from this complexity in the cloud environment, governance of technology investments and transition from IT to operational technology (OT).
The PwC report makes the caveat that complexity is not bad in and of itself. It is often a by-product of business growth. The larger an organization, the more complex it will naturally be, needing more people and technology to serve a growing customer base.
The costs of creating unnecessary complexity are not obvious, and it’s difficult to build urgency around combating complexity — that is, until an attack occurs. The study cites as an example a company needlessly kept confidential data from people it no longer did business with, making that data available for hackers to steal.
As an example of simplification, the report cites the case of a global retail organization where six suppliers managed customer contacts. Two of these vendor systems have been breached in the past. After consulting with the CEO and the board, the new COO reduced the list of suppliers to two. This simplification has improved security: tracking two vendors is easier than tracking six, making access to information easier to track, and the retailer can more readily back up the smaller cache of customer data.
Asked to cite the main consequences of operational complexity, respondents mentioned:
- Financial losses due to data breaches or successful cyber attacks;
2. Inability to innovate as quickly as market opportunities allow;
3. Lack of operational resilience or ability to recover from a cyber attack or technology failure.
In other words, complexity is not just a threat to “today’s luck”, in the executives’ view. It also prevents organizations from creating opportunities quickly and looking for future opportunities.