Swiss companies are underestimating the cyber risks associated with the Internet of Things. They are still not working together enough on digital security and lack a complete understanding of the threats involved. A significant number of Swiss firms risk falling by the wayside, jeopardizing their continued viability as a business, as illustrated in KPMG’s latest study, “Clarity on Cyber Security”.
The march of digitalization is continuing apace. As well as bringing opportunities for companies, however, this trend also poses some major risks to Swiss business: In the past 12 months, for instance, over half (54 percent) of all the companies included in the study have been the victim of a cyberattack. These attacks severely disrupted the business processes at 44 percent of the companies affected, with a quarter fearing that they had suffered reputational damage as a result. The most common tools used by the cybercriminals were malware, phishing emails and so-called social engineering – manipulating victims by using false identities, faking social network profiles or impersonating the authorities.
“The survey of over 60 Swiss companies from various industries indicates that Switzerland still lacks a consistent cyber security strategy,” says Matthias Bossardt, Head of Cyber Security at KPMG Switzerland, summarizing the findings. “While some businesses have taken a suitably modern approach and are attempting to adapt in line with the constantly changing threats, others are at risk of falling completely by the wayside, thus jeopardizing their very viability as a business in the medium term.”
The fourth industrial revolution and the increasing interconnectedness of multiple devices also mean a huge security risk because networked domains of technology offer many more openings for an attack. In other words, the Internet of Things allows cyberattacks to cause tangible damage offline as well as online. However, the study shows that many Swiss companies are paying far too little attention to the security aspects of Industry 4.0. For example, over half of those surveyed (53 percent) admitted lacking a general overview of the risks that the Internet of Things posed to them, preventing any effective protection against cyberattacks.
It is not only external attacks that can cause major damage – internal sources of risk must not be underestimated either. However, a large majority of the company representatives interviewed (80 percent) are dissatisfied with how their business handles these insider risks: 60 percent lack an adequate setup for monitoring suspicious internal activity, 51 percent do not analyze the relevant data and 49 percent lament insufficient coordination between departments. Yet it is precisely this kind of multidisciplinary approach that is essential when it comes to cybersecurity because it is not enough just to use technology for internal and external security measures: “Many cybercriminals exploit the human factor to bypass technical barriers,” says Gerben Schreurs, Partner Forensic at KPMG Switzerland. “This means that companies will increasingly have to include softer factors such as their corporate culture in their security planning as well in future and not simply look at technology.”
While no less than 95 percent of companies in last year’s study expressed a desire for greater cooperation, 66 percent of respondents this year said that they had increased their focus on cooperation in cybersecurity over the past 12 months. Most of this collaboration involved sharing relevant information on threats (88 percent), exchanging experiences (83 percent) or joint prevention (78 percent). “In an increasingly networked and complex world, it makes no sense for every company to tackle cybercrime on its own. Logical partnerships need to be cultivated wherever possible,” says Matthias Bossardt, commenting on the study results.
Whereas a substantial 59 percent of companies in 2015 had been unsure whether and how their business partners, service providers and suppliers defended themselves against cyberattacks, 72 percent of those surveyed now explicitly stipulate compliance with minimum security standards in their agreements with third parties. The percentage of businesses afraid that outsourcing their IT would increase their cyber risk also fell from 15 to 8 percent. That said, the financial sector is more skeptical regarding the security risks posed by outsourcing and cooperating with partners, with many companies questioning whether the trust that they place in third parties when instigating a business relationship is really justified. This is illustrated in an increase from 25 to 33 percent in the proportion of respondents from the financial industry that fear outsourcing will reduce transparency in terms of cyber risks.
KPMG Switzerland’s “Clarity on Cyber Security” study combines qualitative interviews with individuals and an online survey and includes over 60 companies. The interviews were conducted with C-level partners (CEO, COO, CIO, CMO) from various industries.
© 2018 KPMG Holding AG is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.