Home > Energy > Expert Contributor

What Cybersecurity Risk Must SMEs Address Now?

By Juan Carlos Carrillo - PwC Mexico
Director

STORY INLINE POST

By Juan Carlos Carrillo | Director - Tue, 01/10/2023 - 09:00

share it

As a small to medium-sized business owner, what is your immediate reaction when cybersecurity comes up? Sadly, most will make it a technical and not a business issue. 

Recent research provides  information that might change that thinking: In the 2021 PwC Global  CEO Survey, nearly half (47 percent) of small and medium-sized business respondents ranked cyberattacks as the top threat to their organization's growth. In the 2022 report, CEOs ranked cyber  risk as the top threat to growth. 

Threat actors will significantly affect organizations in 2023 compared to 2022: 65 percent of executives consider cybercriminals the most significant threat to their organization in the coming year, followed by hacktivists and insiders.  

Most CIOs and CISOs see three significant cyber risks for 2023: 

1. Business email compromises (BEC) 

2. Ransomware 

3. Attacks against the cloud 

Eighty-one percent of CIOs, CISOs, and CTOs are not confident that the company has taken steps to protect against four major cloud threats:

1. Credential management 

2. Resource authorization or public versus private storage configuration 

3. Cloud security configuration errors or incorrect configurations 

4. Mismanagement of APIs 

Thirty-eight percent expect more serious attacks via the cloud in 2023. Most of these breaches would be related to a misconfiguration.  

Attackers exploit a misconfiguration in a company's cloud-hosted internet-facing application and  steal user data to sell on the black market. A cloud data breach is not a technical risk as it is a  business risk, with costly notifications to data owners, a possible class-action lawsuit against the  company, and damage to the enterprise's reputation. 

Why Could This Happen? 

These attacks would mainly be due to a lack of or deficient cybersecurity strategy, one specific to the cloud, with no in-depth defense , coding errors, inadequate testing of written and library code, or improperly encrypted data.

But are small and medium-sized companies right to worry? And if so, what should they do about  it? 

The reality is that the cyber threats that small and medium-sized businesses face are no different than those that any other type of business receives. 

Cybercriminals are opportunistic and will seek to attack wherever they see vulnerabilities.  

The most important aspect that small and medium businesses need to address is the involvement of the C-Suite. 

In the latest PwC study, Digital Trust Insights 2023, we took a deep dive into the specific actions the different C-levels need to address: 

Actions for the CEO and the board of directors: 

• Talk about executive commitment to cybersecurity 

• Use influence to inspire change 

• Eliminate organizational barriers for the integration and coordination of executives in the  cybersecurity strategy

Actions for the CIO or CTO: 

• Secure applications in the back-end and front-end  

• Build an IoT strategy

• Work with the OT team to secure the operation’s technology  

• Develop with the CISO a cloud security technique by default 

Actions for the CFO: 

• As companies modernize and simplify IT, finance people need to ask two questions:  o How can you get the most cyber risk reduction per incremental dollar invested? o What investments will reduce the most in less time? 

• Companies that know the monetary costs of risk are more likely to secure by design — and save. 

Actions for the COO: 

• Plan with the CISO and CIO how to advance and secure OT aligned with IT 

• Work on a third-party risk  methodology with the CISO and the CRO 

Actions for the Risk Management team: 

• Build an "all hazards" approach to identifying sources of disruption  

• Create a resilience program that integrates the core competencies of:  

o Crisis management 

o Business continuity  

o Disaster recovery  

o Incident response to respond across the enterprise in a cohesive and consistent  manner 

The cyber risks are not only a CISO or CIO problem, they are a company wide concern. 

There is an urgent need for C-suite collaboration to preserve trust, confidence and  willingness to make business decisions. 

A catastrophic cyberattack is a severe threat to 2023 resilience plans. Such an attack would  surely put C-suite alliances to the test. 

Two-thirds of executives consider cybercrime their most significant threat in the coming year.  Cybercriminals, increasingly using off-the-shelf tools, can perpetrate and orchestrate various  attacks. 

Here is a checklist for reviewing cybersecurity and technology risk: Strategy: 

Risk alignment 

• Key question: Is there an understanding of how much risk the company is willing to accept? 

• Behavior change: Risk measurements for decision-making. 

Effective operation 

• Key question: Do managers have visibility on the risks in data management? 

• Behavior change: Cyber risk needs attention at the executive level. 

Decision-making 

• Key question: Are there data risk priorities or alignments within the business strategy? 

• Behavior change: Leadership needs to understand what is essential. 

Reports and insights 

• Key question: Does senior management have access to meaningful and actionable information? 

• Behavior change: Risk reporting must go beyond the tactical. 

Adaptability 

• Key question: Can our processes, decisions, and actions adapt quickly to new information? 

• Behavior change: Resilience means knowing how to respond.

Without these questions being discussed by the board of directors, companies will only invest in silo solutions that fail to provide  a holistic vision of the risk and create a false sense of  security, trust, and confidence.  

2023 will be the year that companies either take cybersecurity risk seriously or the risk will take the companies out of business.  

Juan Carlos Carrillo

CIPT, CDPSE, CCSK, CIAM 

Director Cybersecurity & Privacy 

Photo by:   Juan Carlos Carrillo

You May Like

Most popular

Newsletter