Irish businesses are being put at risk by a “glaring blind spot” over the risks posed by their own suppliers to their cybersecurity, a new report says.
PwC’s 2022 Global Digital Trust Insights study said more than 60 per cent of Irish businesses expect cybercrime to increase this year, a higher level than their global counterparts. Some 62 per cent expect a rise in ransomware attacks, with 56 per cent anticipating an uptick in malware.
However, complex business relationships with suppliers and technology support networks pose “concerning” cyber and privacy risks, the survey found, with the majority of companies at home and abroad failing to realise the enormity of the situation. Only 38 per cent of Irish respondents claimed to have had a high understanding of the risk of data breaches through third parties, compared to 41 per cent of global organisations, while 24 per cent said they had little or no understanding of the risks.
This comes despite more than half of Irish respondents anticipating a rise in breaches through their software supply chain.
"Organisations can be vulnerable to an attack even when their own cyber defences are good. A sophisticated attacker searches for the weakest link – sometimes through the organisation's suppliers networks," said Pat Moran, PwC Ireland cybersecurity leader. "Gaining visibility and managing your organisation's web of third-party relationships and dependencies is a must. Yet, in our experience, fewer businesses than we would like are responding to the escalating threats that complex business models pose."
Less than half of Irish companies are auditing or verifying their suppliers’ compliance to help mitigate the risk, while 44 per cent are sharing information with third parties or helping them to improve their cyber stance.
Cloud services could also be another attack point, with 62 per cent of Irish respondents expecting attacks on such services to rise. However, only 29 per cent said they understood the cloud risks based on formal assessments.
Among the areas ranked highest for unnecessary complexity were data governance, cloud environment and data infrastructure.
“Simplification can be a challenge, but there is ample evidence to suggest that it is worthwhile for organisations in terms of improved cyber outcomes. While around one in two (50 per cent) Irish respondents said that their organisations had streamlined certain operations over the past two years (compared to a third for global companies), the ‘most improved’ cyber outcomes in our survey (the top 10 per cent) were five times more likely to have streamlined operations enterprise-wide,” said Will O’Brien, PwC Ireland cybersecurity director,.
“These top 10 per cent organisations are also 10 times more likely to have implemented formal data trust practices and 11 times more likely to have a high level of understanding of third party cyber and privacy risks.”
The survey, which questioned more than 3,600 participants, found only 29 per cent of Irish respondents had made “significant progress” in minimising financial losses to cyber disruptions, compared with a global rate of 40 per cent.
Less than half are “very confident” about the cybersecurity stance of their organisation, with 32 per cent saying cyber risks are well mitigated. More than 70 per cent said they had not increased the rigour of their due diligence.
Support from the top affected outcomes, though, with executives reporting the most progress in cybersecurity outcomes were 12 times more likely to have deep support from their chief executives.
“The survey confirms that the most advanced organisations see cybersecurity as more than defence and controls, but as a means to sustain their reputation and brand loyalty and build trust with their customers,” said Mr Moran. “As leaders of organisations, CEOs set the tone for focusing their cybersecurity teams on bigger-picture, growth-related objectives rather than narrower, short-term expectations.”