More than two-thirds of companies plan to increase their cyber budget by 2022 to better protect their systems and data, with more than half of executives fearing an increase in reportable attacks, new data from consulting firm PricewaterhouseCoopers shows.
Yet the biggest threat to businesses is an unnecessary level of unnecessary complexity that has led to increased risk, with three quarters (75%) of managers agreeing that their organization’s infrastructure has become too complex and almost the same number agreeing, that complexity has led to regarding risk levels, according to the report. In general, managers worry that complexity will primarily lead to violations and financial losses, but also hamper innovation and undermine operational resilience.
Organizations need to focus on simplifying their operations and infrastructure and determining if complexity is needed, according to PwC’s new 2022 Global Digital Trends Insights report.
“The consequences of an attack increase as the interdependence of our system grows more and more complex,” the report said. “Critical infrastructure is particularly vulnerable. And yet many of the violations we see are still prevented with sound cyber practices and strong control.”
The Global Digital Trust Insights Survey annually examines more than 3,600 business, technology and security executives focusing on primarily (62%) large companies with at least $ 1 billion in revenue. While 69% of companies expect to increase their cyber budgets by 2022, and 26% expect an increase of 11% or more, many organizations do not yet see a return on their investment in security.
More than half of the companies have invested in cloud security, security awareness training or endpoint security, but only about a third of these companies achieve the benefits of these implementations, according to the “2022 Global Digital Trust Insights” report.
Part of the reason is the complexity of their environments and often the technology, two PwC executives said in a strategy description released earlier this year.
“[C]complexity has driven cyber risks and costs to dangerous new heights, “said Richard Horne, UK cyber security chair for PwC UK and Sean Joyce, global and US cyber security and privacy manager for PwC USA, in a brief release in February. The number of significant cyber attacks globally is rising potentially destructive criminal ‘ransomware’ attacks and nation state activity targeting government agencies, defense and high-tech systems by, for example, breaking IT network management software and other vendors.
Overall, the most mature organizations tackling complexity are 12 times more likely to have a committed CEO, 11 times more likely to understand the risk that third parties pose to their cybersecurity and attitudes to data protection, and 10 times more likely to to have a formal process of data trust practices, according to the report.
Yet, only about a third of companies have taken steps to streamline their business and operations over the past two years, the survey found.
Simplify to shrink the attack surface
Not surprisingly, as the pandemic developed, 35% of companies defined a new mix of remote, virtual and on-site work, while 33% reorganized their business functions and 32% consolidated their technology providers.
Companies evenly allocate their budgets for simplification across nine different initiatives, including an estimated 36% of budgets evenly distributed across “integration of controls and processes across disciplines”, “reduce[ing] obsolete or obsolete technology “and” adoption of a cloud-first technology strategy. “
The report argues that companies should remove complexity and reduce their attack surface to improve their security and reduce the cost of securing their systems and data.
Security operations and interdisciplinary teams should take another look at their own infrastructure to find complexity that has been left behind, according to the report. Find technical solutions that can not work together and teams that do not collaborate on resilience or risk management from third parties that do not have a process in place for managing data and not looping in the business teams when discussing cybersecurity measures and technologies.
“Complexity is not bad in itself — often it is a by-product of the company’s growth,” the report said. “The cost of creating unnecessary complexity is not obvious, and it is difficult to create haste to combat complexity – that is, until an attack occurs.”