A majority of companies don’t have a handle on their third-party cyber risks – risks obscured by the complexity of their business relationships and vendor/supplier networks. This is the finding of the PwC 2022 Global Digital Trust Insights Survey. The survey of 3,600 CEOs and other C-suite executives globally found that 60% have less than a thorough understanding of the risk of data breaches through third parties, while 20% have little or no understanding at all of these risks.
The findings are a red flag in an environment where 60% of the C-suite respondents anticipate an increase in cyber crime in 2022. They also reflect the challenges organizations face in building trust in their data — making sure it is accurate, verified and secure, so customers and other stakeholders can trust that their information will be protected.
Notably, 56% of respondents say their organizations expect a rise in breaches via their software supply chain, yet only 34% have formally assessed their enterprise’s exposure to this risk. Similarly, 58% expect a jump in attacks on their cloud services, but only 37% profess to have an understanding of cloud risks based on formal assessments.
Sean Joyce, Global & US Cybersecurity & Privacy Leader, PwC United States said: “Organizations can be vulnerable to an attack even when their own cyber defenses are good; a sophisticated attacker searches for the weakest link – sometimes through the organization’s suppliers. Gaining visibility and managing your organization’s web of third-party relationships and dependencies is a must. Yet, in our research, fewer than half of respondents say they have responded to the escalating threats that complex business ecosystems pose.”
Asked how their companies are minimizing third-party risks, the most common answers were auditing or verifying their suppliers’ compliance (46%), sharing information with third parties or helping them in some other way to improve their cyber stance (42%), and addressing cost- or time-related challenges to cyber resilience (40%). But a majority have not refined their third-party criteria (58%), not rewritten contracts (60%), nor increased the rigor of their due diligence (62%) to identify third-party threats.
Simplifying the way to cybersecurity
Nearly three quarters of respondents said the complexity of their organization poses “concerning” cyber and privacy risks. Data governance and data infrastructure (77% each) ranked highest among areas of unnecessary and avoidable complexity.
Simplification is a challenge, but there is ample evidence that it is worthwhile. While three in 10 respondents overall said their organizations had streamlined operations over the past two years, the “most improved” in our survey (the top 10% in cyber outcomes) were five times more likely to have streamlined operations enterprise-wide. These top 10% organizations are also 10 times more likely to have implemented formal data trust practices and 11 times more likely to have a high level of understanding of third party cyber and privacy risks.
CEO engagement can make a difference
Executive and CEO respondents differ on how much the support the CEO provides on cyber, with CEOs seeing themselves as more involved in, and supportive of, setting and achieving cyber goals than their teams do. But there is no disagreement that proactive CEO engagement in setting and achieving cyber goals makes a difference. Executives in the “most improved” group, reporting the most progress in cybersecurity outcomes, were 12x more likely to have broad and deep support on cyber from their CEOs. Most executives also believe that educating CEOs and boards so they can better fulfill their cyber responsibilities is the most important act for realizing a more secure digital society by 2030.
Sean Joyce concluded: “Our survey shows that the most advanced organizations see cybersecurity as more than defense and controls, but as a means to drive sustained business outcomes and build trust with their customers. As leaders of organizations, CEOs set the tone for focusing their cyber teams on bigger-picture, growth-related objectives rather than narrower, short-term expectations.”