Throughout the pandemic, many organisations have had to find new ways to deliver products and services to customers and clients through digital channels, while also having to adapt to staff working remotely – each creating complexities from a cyber security risk perspective.
Recognition of this was clear from the results of our recent KPMG 2021 CEO Outlook Pulse Survey. Cyber security was reported by CEOs globally as the number one threat to their company’s growth over the next 3 years. This is up significantly from fifth place in August 2020, and ahead of regulatory, tax and supply chain risks.
In addition to the digitalisation of business operations, concern over cyber security is also naturally heightened following the increased incidence of cyber hacking into vendors and governments by a combination of threat actors from nation states to organised criminal groups.
To address these concerns, the survey shows 52 percent of CEOs are planning to spend more on data security measures in the year ahead. Much of this spend will be directed at greater access to expertise and technology solutions but there also needs to be a human factor involved when it comes to risk mitigation. It will be important for everyone – from boards to leadership to employees – to strengthen their understanding and actions around cyber security.
The survey found that 74 percent of CEOs said their digital operations have accelerated significantly. This pace looks set to continue, with 57 percent reporting plans to bring more digital tools into the customer engagement space, such as chat bots, web queries and social media platforms. For 61 percent, new employee collaboration and communication tools are on the agenda. This makes a lot of sense if we look at the expectation of 30 percent of CEOs that a majority of their employees will be working remotely between 2-3 days per week.
This rapid digitalisation of operations means organisations are doing things and learning things that they haven’t had to do before – but it also means we are seeing a rise in cyber security incidents. New tools are continually offering updates in features; however, even a small change like being able to share multiple screens in a virtual meeting could introduce issues around data confidentiality if the functionality isn’t understood. There is a clear need to build in a cyber security strategy around the introduction of any new capabilities.
It’s important that people have the right tools to do their work, so that they don’t download alternatives that may bring risk into the organisation. But when looking at implementing new technologies, businesses need to consider the safety of the people using them, too.
If you have 100 people on a virtual meeting, with many that are anonymous, and you ask them to contribute to a ‘word cloud’ on screen, there is potential for someone to be abused, or for private information to be leaked. It’s important to weigh up how the tool will enable things versus what the risks are. Ask, what guardrails do we need to put around these tools for our people? Technology is important, but the risks of implementation go well beyond cyber security making this area very much a holistic business challenge.
More people are naturally focused on the possibilities of what technology can do, than are thinking about how to harness technologies in a really safe way. However, cyber security can’t just be the responsibility of the security team working in silo. It’s important that cyber risk prevention becomes part of company culture and working habits.
This needs to start at the board level, with technology and cyber expertise ensuring that all of the board are educated in the appropriate risks – this will ensure the links to operations, supply chains, regulation, human resources and more are properly understood. It then needs to filter into every department and every role. If you talk to somebody in the NHS, every single person would recognise that health and safety is their responsibility. When organisations take the same approach to cyber security, there is a better chance of mitigating risk.
If you are setting out to manage cyber risk, here are three key things to remember:
For more insights, read the full results from the CEO Outlook Pulse Survey.