Cybersecurity: Boards still happy to pass the buck to the IT department

PWC report warns that businesses are leaving themselves vulnerable to cyberattacks due to lack of understanding over risks.
Written by Danny Palmer, Senior Writer

Only 37 percent of organisations have a cyber incident response plan in place, says PWC report.

Image: On Air Images

Cyber criminal threats are massively rising but businesses aren't adequately prepared for -- or in some cases even understanding -- the risks they face, a new report by PwC has warned.

The multinational professional services firm has published its findings in its Global Economic Crime Survey 2016, which cites cyber crime as the fastest growing type of economic crime, with only asset misappropriation more common. A total of 32 percent of organisations revealed that they've been affected by cybercrime.

If that figure seems low, the report suggests that this is because respondents may not even know that their organisation has suffered a data breach or any other sort of attack by hackers.

"The insidious nature of this threat is such that of the 56 percent who say they are not victims, many have likely been compromised without knowing it. A concerning trend we have observed is that of hackers managing to remain on organisations' networks for extended periods of time without being detected," says the report, which comes following another study suggesting that businesses are often unaware that they've been breached.

However, despite rising fears over cyber crime -- 53 percent of respondents said they see an increased risk of threats from hackers and other nefarious actors -- PwC figures suggest that only 37 percent of organisations have a cyber incident response plan in place.

Responsibility for this disturbing lack of preparation, PwC claims, comes from the top, because "many boards are not sufficiently proactive regarding cyber threats, and generally do not understand their organisation's digital footprint well enough to properly assess the risks".

Indeed, fewer than half of board members are said to actually request information about how their organisation is prepared, when it comes to fending off or dealing with a cyberattack.

It also seems that the board is willing to pass the buck when it comes to taking responsibility for dealing with a "cyber crisis", with IT security staff expected to deal with outcomes in almost three-quarters of cases. That strategy, argues Andrew Gordon, global leader of forensic services at PwC, is not the right course of action.

"Too few companies are adapting their risk assessments and control frameworks fast enough. Action on economic crime is not the responsibility of one person or team, it must be embedded within an organisations' culture," he says.

Ultimately, the report suggests, cybersecurity must be embedded into every layer of the organisation in order to have the best chance of defending against criminal operators.

"It is vital that boards incorporate cyber crime into their routine risk assessments, communicate the plan up, down and across organisational lines, and discuss specifically with the IT department at what point they want to be alerted of a breach," PwC recommends.

One of the key themes of the document is that organisations must take cyber crime as seriously as any other risk that they might face.

"Cyber threats must be understood and planned for in the same way as any other potential business threat or disruption (such as acts of terrorism or a natural disaster): with a response plan, roles and responsibilities, monitoring and scenario planning," it says.

The PwC Global Economic Crime Survey 2016 interviewed over 6,000 participants in 115 countries.

Read more on cybersecurity

Editorial standards