Key takeaways

  • Companies need to build digital trust – the level of confidence in people, processes and technology that build a secure digital future – in order to succeed in the digital economy.
  • The lines between cyber and physical are blurring, making cyber security and privacy needs more complex.
  • The majority of executives are embedding increased measures into their digital transformation strategies, but there is plenty of room for improvement.

If the lifeblood of the new digital economy is data, then its heart is digital trust. It’s been long established that building – and keeping – the trust of customers is a non-negotiable.

But in order to build digital trust – the level of confidence in the people, processes and technology that build a secure digital world – company executives need to find new mechanisms to address emerging threats to data, security and privacy.

To assess the current state of business’ relationship to trust, PwC US surveyed 3000 small and large business leaders in its inaugural Digital Trust Insights report. Covering a range of industries including financial services, healthcare, consumer products and technology, as well as media and telecommunications, and energy, mining and utilities, the survey covers 81 territories, and builds on the strength of its predecessor, the Global State of Information Security® Survey.

PwC believes 2019 will be a pivotal year in laying the foundation for creating a new legacy in digital trust. Drawing on insights from the survey, ten major opportunities for improvement were identified around digital trust’s three pillars.

People

  1. Engage security experts at the start of digital transformations

Digital transformation projects are underway in most major companies, and as they introduce an increasing number of new technologies into the workplace, security threats are growing with them. Executives are aware of this: nine in ten say they include security and privacy experts as stakeholders in these projects. However, only half say they fully involve proactive risk management measures from the very beginning. Successful transformation involves embedding risk management in the entire process, from design to deploy.

  1. Upgrade your talent and leadership team

Despite the ever growing risks to data privacy and security, many C-suites don’t include key titles such as chief information security officer, chief security officer, chief privacy officer, chief risk officer or chief data officer. The survey found that only around 40% of respondents report  they are very comfortable that their company has adequately identified the right executives responsible for cybersecurity and privacy, and fewer, just a third, say their workforce is ready to meet emerging regulations and requirements.

  1. Raise workforce awareness and accountability

A third of respondents say their company has an employee security awareness training program, while fewer, 31%, have requirements in place that compel employees to complete training on privacy policy and practices. Making staff aware of how cybersecurity and privacy can support business objectives, without subjecting them to ‘security fatigue’ with uninspiring messaging that doesn’t influence behaviour, can help employees identify and correctly action threats when they arise. Enforcement will also help create accountability.

Process

  1. Improve communications and engagement with the board of directors

Boards must be across not only the latest security requirements but also the strategies their company is adopting to prepare and manage them. While 80% say their board has been given the company’s cyber risk management strategy, only 27% say they are ‘very comfortable’ that their board is getting adequate reporting cyber and privacy risk management metrics. Giving boards the information they need for oversight is critical to keeping the C-suite accountable and ensuring appropriate governance is in place.

  1. Tie security to business goals

Only 23% of Digital Trust Insights respondents say they plan to invest in aligning business objectives with an information security strategy over the next year. Cybersecurity programs are becoming increasingly misaligned with businesses, as corporate leaders continue to aggressively adopt technology-driven business models. While these digital transformation strategies are being planned and executed, embedding cybersecurity into the technology, as well as refreshing cybersecurity strategies and plans, will help incorporate this critical element into the fold.

  1. Build lasting trust around data

Businesses are increasingly finding new ways to monetise the wealth of data they now hold. The ethics around doing such can be difficult to navigate, and the line at which the trust of those whose data is being mined is fragile and variable. It’s concerning then, that just half of respondents whose businesses were worth US$100 million or more say they were making large investments in data governance and in creating transparency in the use and storage of data. As PwC’s protect.me survey reported, even loyal customers are prepared to walk away from a business if they feel their trust is being broken.

  1. Boost cyber resilience

Just half of medium and large businesses surveyed say they are building resilience to cyberattacks or other disruptive events ‘to a large extent’, while even fewer say they are comfortable their company has adequately tested their resistance to cyberattacks. As PwC has previously found, a positive response to a breach can actually help deliver a competitive advantage by building trust with customers as well as boosting brand value in how a company publicly handles the situation.

  1. Know thy enemies

Cyber threats vary depending on the size of the company and its industry. Somewhat predictably, financial services report the most concern about state-sponsored hackers, while fears around cybercriminals have spiked in consumer markets. Yet despite these insights, only 31% of all respondents say they are very comfortable that their company has identified the key sources of threats to its digital assets. Threats are not only external – they can come from within, be it nefarious or accidental. Cyber threat intelligence and insider threat programs can help companies identify the risks most pertinent to them.

  1. Be proactive in compliance

Regulation is evolving, fast. But companies are failing to keep up. The EU’s General Data Protection Regulation (GDPR), has been in place since May 2018, yet less than half of the companies surveyed worth US$100 million or more say they are fully ready to comply with GDPR – a concerning thought when considering the hefty fines promised for those that break these laws. While compliance laws vary by country, adhering to the highest applicable laws and standards is the beginning, and companies should use an integrated approach to compliance, rather than siloed efforts.

Technology

  1. Keep pace with innovation

The barriers between cyber, physical and virtual will blur over the next decade following the explosive growth in technology and data. This will only lead to more complexity when it comes to cyber and privacy risk management – consider the implications of the Internet of Things, the interconnectivity of devices that share information among themselves. While 81% of respondents say IoT is critical to some or more parts of their business, only 39% are confident they are building sufficient digital trust controls – that is, security, privacy and data ethics – into their adoption. They have even less confidence in other emerging technologies such as artificial intelligence.

As the report identifies, there is plenty of room for improvement for business leaders when it comes to shoring up digital trust. Those that get ahead of the curve and seamlessly integrate it into every stage of their digital transformation efforts are setting themselves on the path to become the biggest players in the digital economy. Those that don’t, are risking obsolescence. The time to choose which journey your company is on is now.

________________________________________________________________________________________________

For further, actionable insights when it comes to cyber security, privacy and trust, visit the Digital Trust Insights website to download the full report.

 

Contributor

Steve Ingram

Steve Ingram is the leader of PwC Australia’s Cyber practice and Asia-Pacific cyber leader.

More About Steve Ingram