- Security TWENTY
- Women in Security Awards
Near four in ten UK CEOs believe becoming a victim of a cyber-attack is now a case of ‘when’ and not ‘if’ for their organisation, according to a survey of CEOs from some of Britain’s biggest businesses by an audit firm.
KPMG surveyed 150 UK leaders and a further 1,150 CEOs from across the world about their investment plans and the challenges and opportunities facing their companies. Some 39pc of UK CEOs surveyed believe they will be targeted by a cyber-attack. The auditors point out that this view was quite optimistic in comparison to their global counterparts, where 49pc said they envisioned a cyber-attack on their business.
Bernard Brown, vice chair at KPMG in the UK said: “The seeming inevitability of a cyber-attack crosses all borders and has now crossed firmly over the threshold for board-level discussions. Protecting the business from a cyber-attack has jumped further up the boardroom agenda and we are seeing businesses making their defences the best that they can be.”
With the General Data Protection Regulation (GDPR) affecting all businesses interacting with EU businesses and customers, the audit firm calls it worrying that only 40pc of UK CEOs view customer data protection as one of their most important personal responsibilities in enabling long-term growth of the customer base. However, the survey also found that UK business leaders believe that a strong cyber-security strategy is critical to engender trust with key stakeholders, with 74pc agreeing that cyber-security is an enabler of trust, in comparison to only 55pc of global CEOs.
Brown added: “It is reassuring that UK CEOs see the value in having a good cyber-security strategy which enables trust. The reality is that without trust, customers are likely to be increasingly resistant to sharing personal information, potentially undermining business models and strategies. Businesses need to turn privacy into a source of competitive advantage which will no doubt enable long-term growth of the customer base.”
Cyber awareness amongst UK leaders is rising, the survey suggests, as nearly four in ten (39pc) believing that their organisations are either ‘very well’ or ‘well’ prepared for a future cyber-attack. Cyber-security specialists are also seen as an effective part of the business with 45pc of UK CEOs seeing their value, coming second to data scientists who are seen as being effective by 62pc of the CEO cohort.
Brown said: “It’s encouraging to see that CEOs are developing a more mature understanding of what cyber security actually means. Helped by non-executive directors (NEDs), they are beginning to ask more awkward and searching questions of their IT teams: what are the challenges that face us specifically, what risks are we carrying, what do we need to be resilient to a cyber-attack? Organisations are spending more time planning for worst case scenarios, running simulations and thinking in detail about how they would deal with the uncertainties that arise during a cyber breach.”
Dr Anton Grashion, Managing Director, Security Practice at Cylance, said: “I think in terms of an attack that’s a fair reflection. The availability of malicious tools and even services are placing the ‘means’ in the hands of many who, while unskilled, are motivated to attack an organisation, to attack organisations. However, with the advent of advanced ML/AI tools we can reduce the likelihood of a malware based breach to a very very low probability.
I would advise CEOs to check with their CISOs to ensure their cyber defences are balanced between prevention and detection/response. Prevention has been long overlooked due to failures in legacy systems to address the rapidly changing threat landscape. If their investment is risk assessed in the light or prevention being possible even if an attack is inevitable then the knock on benefits in terms of resource liberation and avoidance of correlated or cascading failure means that the old adage that an ounce of prevention is worth a pound of cure has never been truer.”