Regardless of their digital footprint, any business with a reliance on technology is at risk of cybercrime. In today’s digitised economy where threats to cybersecurity are continuously increasing, protecting data, infrastructure, customers, clients and third parties against a breach is one of the biggest challenges that European businesses face. The financial and practical advantages technology brings mean that there is more opportunity for cybercrime hence, the Catch-22 business leaders face - if a business doesn’t go through a digital transformation there is a risk it may get left behind, and if it does there is an inherent and increased risk of cybercrime.
An in-depth survey of successful companies across Europe has been undertaken for RSM International by the European Business Awards, in order to understand levels of industry awareness of these cyber risks, the actions being taken to combat them, as well as the reaction to breaches taking place. Its’ ultimate purpose, given the findings, is to raise awareness to C-suite and senior management, of the urgent need for cybersecurity strategy, planning and action required to secure their organisation’s most valuable asset: data.
RSM’s ‘Catch 22: Digital transformation and its impact on cybersecurity’ report comprises responses to a range of questions posed to 597 companies in 33 European countries, spanning multiple industries and sizes, with recorded turnovers varying from less than €30 million to over €300 million. 56% of the respondents are on the management board with a further 31% reporting directly to the board. *
Although 80% of leading European businesses say digital transformation is a current strategic priority for their business, a significant number of organisations are not adequately protecting themselves against cybercrime. So, while businesses are alive to the threat of a breach, a large majority believe they are at risk. Aa significant number of businesses do not have a formal cyber security strategy in place; and those that do, display a lack of faith in these strategies to protect them.
Additionally, most European businesses think it is possible that their company has been hacked without them knowing, leaving them in a vulnerable position to further cyberattacks.
The survey also reveals that at board and senior management level, there is a gap in awareness and perceived accountability, which may be one of the key internal drivers behind this vulnerability. Not only is there a lack of discussion around the risks at board level regarding cyber security but there is also ambiguity over who is responsible for leading on this within the organisation.
However, the study offers reasons for hope and signposts key solutions. Largely thanks to the EU’s General Data Protection Regulation (GDPR), much of the groundwork has been laid, and most businesses who responded to the survey have taken the first steps to securing data.
Finally, the section of data examining the direct actions of those businesses who have already experienced a security breach shows positive actions and reactions from European businesses to the crime and raises compelling questions around transparency and a continuous need for employee training.
* Results between size and seniority of role did not significantly change the main findings and the views and issues raised were similar across the whole of the middle market.
About the authors
Sheila Pancholi, RSM UK
Sheila is a national partner responsible for leading the Technology Risk Assurance practice across RSM UK. She has undertaken Head of IA and Risk roles as well leading successful co-sourced and outsourced IT Audit teams across a diverse range of clients over her 26+ year career in Practice. She is a cyber security and data privacy specialist and has provided assurance and advisory support to a wide range of organisations to help clients manage all aspects of technology risks including cyber security, data privacy and operational resilience. Sheila has led SOX compliance engagements across a broad client base including Financial Services, Utilities, FMCG, Media & Entertainment, Retail & Hospitality, Technology, Telecommunications, and Manufacturing. She is an IT risk and controls specialist and has significant experience in delivering global SAP ERP system implementations and leading project and programme assurance engagements, including major change programmes and systems implementations, data centre relocations and outsourced IT service provision.
Gregor Strobl, RSM Germany
Regardless of their digital footprint, any business with a reliance on technology is at risk of cybercrime. In today’s digitised economy where threats to cybersecurity are continuously increasing, protecting data, infrastructure, customers, clients and third-parties against a breach is one of the biggest challenges that European businesses face. The financial and practical challenges that technology brings mean we are more interconnected globally thereby increasing the opportunity for cybercrime hence, the Catch-22 business leaders face - if a business doesn't go through a digital transformation there is a risk it may get left behind, and if it does there is an inherent and increased risk of cybercrime.
An in-depth survey of successful companies across Europe has been undertaken for RSM International by the European Business Awards, in order to understand levels of industry awareness of these cyber risks, the actions being taken to combat them, as well as the reaction to breaches taking place.
Digital transformation requires increased cybersecurity
In today’s fast-changing digitally-led economy, most businesses are currently going through some form of digital transformation, either to improve their offering or to streamline their operations, with many already seeing the benefits of financial investments made. The Catch-22 is that with this increased use of technology and collection of personal data, the need for protection increases. But not all businesses are actively protecting themselves against cybercrime.
Preparing for inevitable cybercrime
The majority of European businesses understand they are at risk from a cyberattack and many even believe they could have been the victim of a breach without knowing. However, coupled with this is a lack of confidence in their ability to protect themselves and a sense of inevitability and resignation to an attack, with many believing hackers will always outwit preventative software.
Who is responsible for cybersecurity?
There is a gap in senior management’s engagement and prioritisation of cybersecurity that needs to be addressed. Not only is there a lack of discussion around the risks at board level but there is also ambiguity over who is responsible for cybersecurity in the organisation. Ideally, the senior executives themselves should be accountable.
The consequences of GDPR on cybersecurity
The EU’s General Data Protection Regulation (GDPR), which came into force in May 2018, is identified as the key driver to businesses taking the first steps in cybersecurity. More than one year on from the implementation of GDPR, the legislation is justifiably seen as a champion of security, but there have been some unintended consequences.
The vulnerability of employees to cybercrime
When it comes to threats now and in the future, most businesses see human error as the core area of vulnerability with targeted attacks on staff via phishing, whaling and ransomware attacks being the most sensitive touchpoint. This assertion is consistently supported by all of the findings on data breaches that have already occurred.
The importance of reporting cybercrime
A significant number of companies in the survey admitted a security breach and gave details about how they had dealt with it and its impact. The findings confirm the critical role of the employee with most attacks identified by them and/or access gained through them. Positive direct action after the event is seen with investment in software, training and much needed IT security reviews. However, one key issue highlighted is the lack of transparency of the breach with 75% of breaches not becoming public knowledge.
RSM’s cybersecurity top tips
RSM’s ‘Catch 22: Digital transformation and its impact on cybersecurity’ report clearly shows that organisations must do much more to protect themselves. Businesses should not wait for a breach to occur before investing. A breach is inevitable and choosing to react rather than protect could create untold damage to an organisation .