Cyber security a growing concern for businesses

The report also said 86 per cent of executives said that complexity in their organisation was creating concerning levels of risk, with third-party cyber risks a glaring blind spot. 

The findings reinforce the concerns of UK businesses about different cyber threats, as well as the potential vulnerability of their supply chains.

Over the past year, a number of prominent ransomware attacks have caused a significant impact on organisations already dealing with the challenges posed by the COVID pandemic.

There is also now the added threat of “ransomware as a service” in which ransomware developers lease out their malware in exchange for a share of the criminal profits.

The survey participants indicated that the biggest areas of concern from cyber attacks are business email compromise (61 per cent) and malware via software updates (63 per cent).

“It’s impossible to ignore the threat from ransomware attacks as criminal groups become more brazen and scale their operations through ‘ransomware as a service’ and the use of affiliate criminal groups,” Bobbie Ramsden-Knowles, crisis and resilience partner, PwC UK said.

Mr Ramsden-Knowles said the PwC threat intelligence team has already tracked more ransomware incidents globally, up to September 2021, than in the whole of 2020.

“Ransomware has the potential to rapidly disrupt an organisation’s entire business, across geographies and functions,” he said.

“For organisations without a framework for managing enterprise-wide crises there is an acute need to develop and embed one, to be able to respond to this type of disruptive event in a coordinated way. 

“Whereas other types of crises may be perceived as ‘black swan’ events that can not be predicted, ransomware attacks have become so widespread that we have seen a common set of challenges and decisions that all organisations would face. Developing – and aligning – ransomware playbooks for executive crisis teams and operational responders is a no-regrets move. And, testing these through wargames and exercises can reduce uncertainty, build confidence in the ability to respond and help prioritise focus on preventative measures.”

The increased complexity of some organisations’ operations due to growth, mergers and acquisitions, or the rapid adoption of new technologies has made them more difficult to properly secure.

In fact, 86 per cent of UK respondents said that complexity in their organisation creates concerning levels of risk. This concern is primarily caused by a network of multi-vendor environments.

Notably, 64 per cent of UK respondents expect a jump in attacks on their cloud services over the next year, however only 41 per cent professed to have an understanding of cloud risks based on formal assessments. Similarly, 63 per cent of respondents said their organisations expect a rise in breaches via their software supply chain, yet only 42 per cent have formally assessed their enterprise’s exposure to this risk. 

The survey found that almost two-thirds of UK organisations (63 per cent) are increasing their cyber-security budgets over the coming year; this compares to 56 per cent in last year’s survey. Furthermore, nearly a quarter of organisations (24 per cent) plan to increase their cyber security spend by 10 per cent or more. 

“As cyber security budgets increase, organisations are faced with the challenge of ensuring they get the best return on their investment. Our research found that few organisations are confident they are reaping the rewards from increased spending,” Richard Horne, cyber security chair, PwC UK said.

“For example, while 37 per cent of UK respondents said they had implemented cloud security at scale, just 18 per cent are fully realising the benefits of their investment. The remainder either weren’t investing in this area or hadn’t yet implemented it at scale.

“To overcome this challenge and build greater confidence in their security investments, organisations must improve their cyber risk modelling and analysis. This ensures increases in cyber budgets are allocated to priority risks and help build long-term resilience.”