Organisations are not doing all they can to protect data privacy, according to the findings of PwC's 2018 Global State of Information Security Survey (GSISS) issued last week.
When it comes to third parties who handle personal data of customers and employees, less than half (46%) conduct compliance audits to ensure they have the capacity to protect such information. And a similar number (46%) say their organisation requires third parties to comply with their privacy policies, said the survey, which drew responses from some 9,500 senior business and technology executives from 122 countries.
“Using data in more innovative ways opens the door to both more opportunities and more risks. There are very few companies that are building cyber and privacy risk management into their digital transformation. Understanding the most common risks, including lack of awareness about data collection and retention activities, is a starting point for developing a data-use governance framework, said Mr Sean Joyce, PwC’s US Cybersecurity and Privacy Leader:
The GSISS findings revealed that Asia and North America lead in terms of developing an overall information security strategy and implementing data-use governance practices
Senior executives recognise rising stakes of cyber insecurity
Fortunately though, senior executives do recognise the rising stakes of cyber insecurity. In PwC's 21st Global CEO Survey, cyber threats entered the top 5 threats to growth for the third time, with 40% of CEOs saying they were extremely concerned about this, up from 25% last year.
87% of global CEOs say they are investing in cybersecurity to build trust with customers. Nearly as many (81%) say they are creating transparency in the usage and storage of data. But less than half say they are taking these actions “to a large extent.”
Impact of technology on data
Consumers have relatively low confidence that companies will use personal data in a responsible way. PwC expects emerging improvements in authentication technology, including biometrics and encryption, to increasingly help business leaders build trusted networks.
Half of respondents say the use of advanced authentication has improved customer and business partner confidence in the organisation’s information security and privacy capabilities. Also, 48% say advanced authentication has helped reduce fraud and 41% say it has improved the customer experience. In addition, 46% say they plan to boost investment in biometrics and advanced authentication this year.
Using biometrics, however, creates its own exposure to privacy regulation and public concern as it relates to companies needing to track biometric information. And relying on knowledge-based authentication—when users provide a mother’s maiden name, for instance—potentially leaves an organisation vulnerable to attack if the knowledge is stolen in a separate breach.
PwC also expects increased pressure on industry to encrypt data for protection, which will drive related investments. Among financial sector respondents, 46% say they plan to increase investment in encryption this year.
Data privacy: a matter for the corporate board
Less than a third (31%) of 2018 GSISS respondents say their corporate board directly participates in a review of current security and privacy risks. Mr Paul O'Rourke, PwC’s Asia Pacific Cybersecurity and Privacy Leader, said:
“Organisations of all sizes should boost the engagement of corporate boards in the oversight of cyber and privacy risk management. Without a solid understanding of the risks, boards are not well positioned to exercise their oversight responsibilities for data protection and privacy matters.”
Regulation as an opportunity
The EU’s General Data Protection Regulation (GDPR), which applies to any organisation that does business in the EU, will go into effect in May 2018. Some 2018 GSISS respondents worldwide say they were already making some preparations for GDPR in the first half of 2017—a year before the compliance deadline. About a third of respondents (32%) had started a GDPR assessment, for example, and this figure was a bit higher in Asia (37%) than elsewhere.
The EU’s Directive on Security of Network and Information Systems (NIS directive), which aims to boost cyber resilience, also goes into effect in May 2018. Businesses identified by member states as operators of essential services (critical infrastructure), as well as digital service providers (search engines, cloud computing services and online marketplaces), face new requirements under the directive for security and for reporting incidents to national authorities. As with GDPR, companies could face serious consequences for noncompliance.
Mr Grant Waterfall, PwC's Europe, Middle East and Africa Cybersecurity and Privacy Leader:
“CEOs should see GDPR and the NIS directive not as compliance drills but rather as strategic opportunities to align their business for success in a data-driven world. In addition, companies should be reaching out to regulators to build relationships and lines of communication before compliance deadlines arrive.”
The GSISS is a worldwide study by PwC, CIO and CSO. The 2018 survey was conducted online from April 24, 2017 to May 26, 2017. Readers of CIO and CSO and clients of PwC from around the globe were invited via email to participate in the survey. The results discussed in this report are based on responses of more than 9,500 CEOs, CFOs, CIOs, CISOs, CSOs, VPs, and directors of IT and security practices from more than 122 countries. Thirty-eight percent of survey respondents are from North America, 29% from Europe, 18% from Asia Pacific, 14% from South America, and 1% from the Middle East and Africa.