Most Australian CEOs surveyed by PwC see cyber security risks as a threat to growth, though more could be done to help them understand those risks, the firm reports.
Around three quarters of Australian respondents to the survey said they now factor cyber threats into their baseline strategic risk management activities.
And 78 per cent of respondents said they are increasing spending on cyber security. That corroborates Gartner’s prediction that Australian spending on information security and risk management will increase by 7.3 per cent this year to $5.1 billion.
Key factors survey respondents saw impacting their cyber security strategies include the increasing complexity of cyber threats, cyber security and data privacy regulations such as GDPR, and to a lesser extent, vulnerabilities in supply chain and of business partners.
While most saw cyber security as a threat to growth, whether the risks are being identified and reported is another matter. Only about a quarter of respondents agreed that their organisations need to do more to measure and report on cyber security issues.
PwC urges businesses to do more to explain those risks in a meaningful way to non-technical stakeholders.
“A key step for businesses is being able to articulate cyber risk in a way that is meaningful to executives, directors and investors. It is more vital than ever to be able to interpret data, quantify cyber risk and explain how this relates back to specific business outcomes,” says Nicola Nicol, Cybersecurity & Digital Trust Partner at PwC Australia.
Those conversations should include the risks created by mergers and acquisitions.
Australian executives were overall more optimistic about their future than they were last year. A clear majority said they expect local economic growth this year, while a similar proportion expect to increase headcount over the next three years. And 63 per cent expected much of this year’s growth to come through M&A activity – up from 34 per cent last year.
Of course, M&A exposes companies to other organisations’ cyber security deficiencies and transfers cyber security responsibilities to new business owners.
Minimising these risks requires careful analysis of the cyber security posture of merger and acquisition targets, and evaluation of their intellectual property protection and related practises.
“If cybersecurity integration activities aren’t identified and factored into the transaction on the front end,” PwC previously advised, “gaps between IT, cybersecurity and other business operations can slow integration and add costs, cutting into the efficiency and financial gains from the deal.”
“The overall deal structure has a big impact on how to plan for cybersecurity.”
PwC also calls out investment in cyber security skills as a concern. “Although more CEOs are considering cybersecurity in their business decisions, organisations still have much to do to overcome challenges; including a greater investment in their people to ensure they have the skills they need,” it states.
More attention to risk management recommended
“The unpredictability of current events has highlighted vulnerability and the needs for a focus on cyber – and organisational – resilience,” PwC also notes.
Australian CEOs are paying less attention to aspects of risk management than their overseas counterparts, according to the survey. PwC found that 27 per cent of Australia’s CEOs were preparing for systemic risk and low-probability, high-impact events like the pandemic – compared to 46 per cent globally.
Apart from the obvious business reasons for this preparation, there are also other reasons to do so.
“With an increase in high-impact cyber attacks like ransomware,” writes PwC Australia Cybersecurity & Digital Trust Leader Mike Cerny, “changes in director liability, governance expectations and regulatory reform are also prompting directors to seek more assurances over cybersecurity.”
Getting those assurances will take more than money, Cerny notes.
He advises companies to improve their employees’ baseline cyber security knowledge, invest in human-centric security processes, and build consumer trust and loyalty by investing in new, innovative technologies that improve cyber security without impacting the consumer experience.
Read more about the PwC 24th CEO Survey findings.