Swiss businesses are ill prepared for cyberattacks and much too reactive in their approach. What’s more, companies rely too heavily on technology while neglecting the human factor. These are insights offered by KPMG’s latest study “Clarity on Cyber Security”.
According to the study, only 44% of people in executive management have a sufficient understanding of the various aspects of cybercrime as those pertain to their own company despite the fact that 54% of those surveyed are of the opinion that their cyber experts communicate effectively with senior management. In light of the threats lurking in cyberspace, their behavior is still much too reactive: 75% of those surveyed specified concrete incidents as the most important driver of efforts to intensify security measures. Since merely half of the companies even attempt to calculate the losses sustained as a result of cyberattacks, 39% of the companies (32% of SMEs and 50% of large corporations) are unable to put a monetary figure on damage already done and identify trends. “Cybercrime has been popping up on the agendas of executive management and boards of directors more frequently over the past three years. Yet this positive development presents chief information security officers with the challenge of communicating the threat of cyberattacks and their impact on the company in a language understood by executive management,” says Matthias Bossardt, Head of Cyber Security at KPMG Switzerland.
Since cybercrime by its very nature involves an extremely technical component, many companies make the mistake of focusing primarily on technology to combat it. 61% of the respondents indicated that they concentrate primarily on technology, thus failing to pursue a comprehensive approach and only inadequately factoring in the human element. “While 75% of companies conduct employee training courses to boost awareness of the topic, many attacks are still succeeding because they exploit the human factor,” says Gerben Schreurs, Partner in Forensics at KPMG Switzerland.
Some 51% of those surveyed do not expect to be able to fully prevent cyberattacks. “In light of that, it becomes even more important that attacks are identified as quickly as possible, that this is done in a very targeted manner and that any attack detected triggers an appropriate response. There’s still a lot of work to be done in that regard, though,” Matthias Bossardt says as he sums up the problem. After all, only 53% of the Swiss companies that took part in the survey even expect to identify attacks and also have the ability to respond appropriately. Less than half of them have contingency plans in place. And just 14% of enterprises use simulations and drills to test their contingency plans for effectiveness.
59% of the companies surveyed are either unconvinced that their contractors and vendors understand how to protect themselves against cyberattacks or do not have any information on the matter. Nevertheless, only 36% of companies set down cyber security requirements in their contracts with third parties and just 14% verify compliance with those requirements. “Considering how many successful attacks have already been made on contractors and vendors, this is an area where businesses have a lot of catching up to do,” states Matthias Bossard.
With threats in cyberspace in a constant, rapid state of flux, 95% of companies are convinced that they are unable to protect themselves against the growing threat of cybercrime on their own. They would like to see a more intense exchange of information with authorities and other businesses to improve their ability to protect themselves adequately.
The “Clarity on Cyber Security” study by KPMG Switzerland is based on a combination of qualitative interviews with individuals and an online questionnaire; over 60 companies participated in the study. Individual interviews were conducted with C-level partners (CEO, COO, CIO, CMO) from a wide range of different industries.
© 2017 KPMG Holding AG is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.