Only a quarter fully prepared for cyber-events, study says
CEOs believe cyber-security is the top risk they face, according to KPMG’s US CEO Outlook 2016 report, with 38 percent of respondents saying they are concerned about cyber-security risk.
The report is based on responses from 400 US CEOs from an range of industries, including automotive, retail, infrastructure, life sciences, technology, energy/utilities, telecoms and financial. While cyber-security is cited as the top risk CEOs are most concerned about, only 26 percent of respondents say they consider themselves fully prepared for a cyber-event and 18 percent are not comfortable dealing with cyber-risk as part of their role.
Cyber-attacks are now a given.‘It’s not a matter of whether you will be hacked; it’s simply a matter of when,’ says Greg Bell, principal and US leader of KPMG’s cyber-division. ‘No matter how much you spend or how much preventive activity you engage in, you are still at risk. You need to find the right balance to do enough to protect your company and brand and not just prevent incidents from happening, but also be able to effectively respond to them.’
Bell suggests senior executives should view cyber-security as a risk to measure, manage and understand and take advantage of technology that can help manage the risk. ‘Often, senior officers may be so fearful of cyber-attacks that they might be reluctant to take on new technologies,’ he says. ‘For example, boards may be afraid of the cloud because of the perceived cyber-implications. But it could be a bigger risk for them not to go to the cloud.’
Senior executives and boards can best deal with cyber-security by fostering dialogue, making sure security approaches are aligned with business strategy and recognizing that cyber-security is the concern of the entire organization. ‘Keeping informed about cyber-issues is a business quality control rather than just an IT issue,’ Bell says. Organizations should also recognize that as they increasingly rely on outside technology ‒ third parties, IT service providers and cloud providers ‒ cyber-security becomes an issue outside the internal technology part of the organization.
Companies need to ensure employees in all parts of the organization understand cyber-issues. ‘The entire C-suite needs to be involved in cyber-discussions,’ says Kelly Watson, a partner and the national service group leader of KPMG’s risk consulting practice. ‘It can’t just be the CEO. It’s got to involve all elements of the businesses so that everyone is on board with the strategy and manages risk as a team.’
Emerging technology is another risk because technology is changing faster than senior executives and boards can keep up. Outsourcing presents a further concern. ‘When you outsource something, you don’t outsource the risk, you just outsource the activity,’ Watson explains. ‘So executives need to be diligent when outsourcing company activities, including manufacturing.’