PwC’s 2019 Digital Trust Insights identifies how leading companies make sure operations run smoothly and securely as digital connections multiply
of high-RQs have a full inventory of assets and refresh as needed
of high-RQs know their critical business services
of high-RQs already focus on digital resilience by design
According to the US’s Federal Bureau of Investigation (FBI), ransomware is the fastest growing cyber threat with an average of more than 4,000 ransomware incidents occurring daily. That means that good enough simply isn’t enough anymore when it comes to protecting data and information.
PwC’s Digital Trust Insights study into the resilience strategies of over 3,500 firms around the world concurs. With a visible mindset shift in what it takes to protect a business, we sought to identify how businesses are revamping strategies to better position for resilience. Results show that businesses where strategies are the most mature are also the most likely to have revamped resilience plans in the face of new, "very significant" threats.
We found a high resilience-quotient (high-RQ) group that scored in the top 25% across the three areas the survey focused on:
Understanding that there are new and very significant threats, businesses in the high-RQ group are more likely (59% vs. 31% of the rest of the survey respondents) to have already revamped their strategies for new threats. They’re also more confident that they can manage emerging risks that test their cyber resilience (73% vs. 24%).
In essence, high-RQ group members have shifted their mindset away from the traditional—and myopic—disaster recovery/business continuity model to “resilience by design”, a more expansive approach that involves gaining real-time views of higher-priority processes so that decision makers and responders can react to incidents with minimal harm to the business.
Without understanding how data assets and processes are connected to core business services and their interdependencies, an enterprise can’t know which systems or assets to isolate if a disruption occurs. The most striking difference between the high-RQ group and the rest is this: 91% of high-RQ companies maintain an accurate inventory of assets and refresh the list as needed, compared to only 47% of the rest.
"The results of our study confirm the top two of the CIS top 20 Critical Security Controls™ to protect an organisation and data from known cyberattack vectors: firstly, build and maintain an inventory of devices and secondly, build and maintain an inventory of software," says Ingvar Van Droogenbroeck, the PwC Belgium Partner who heads up our Cyber & Privacy unit. Organisations around the world rely on the CIS Controls security best practices to improve their cyber defenses.
We often also focus on these controls when working with clients that seek to build information security management systems under ISO 27001.
"Organisations that don’t have a full view of their IT asset landscape, don’t stand a chance of being able to secure it adequately."
"Too often, organisations don’t have an accurate and complete overview of their IT estate, let alone the dependencies within and between assets, and therefore lack an understanding of which are critical for their operations. If there’s a major setback, recovery will be difficult and costly," Ingvar Van Droogenbroeck explains.
He adds, "If there are hardware or software components that you’re unaware of in your system, it’s unlikely that they’re fully patched or properly secured, making them an easy entry point to your entire infrastructure."
In too many cases, organisations also have no strong business continuity plan in place. Because priorities differ by department, what’s really critical may then need to be identified in the crisis, complicating and extending the recovery. "Worse still, in many organisations documentation’s lacking or not up-to-date. If information resides with only one or two key individuals, your survival may depend on those persons’ availability in the crisis," Ingvar Van Droogenbroeck says.