A large-scale cyberattack, the great fear of managers

The fear of a large-scale cyber attack leads the ranking of executive concerns, ahead of a global economic recession, a rebound in the pandemic or other health crisis, the inflationary environment, supply chain problems or a new conflict geopolitical, according to the Digital Trust Survey 2023 report, prepared by PwC based on the opinion of 3,522 senior managers from 65 countries, including more than a hundred executives from Spanish companies.

The concern is logical if one takes into account that 42% of the managers surveyed assure that effective attacks on their systems have increased considerably since 2020. In Spain, 38% recognize incidents with a cost of between 100,000 and one million dollars in the last three years and only 18% say they have not had an incident in this period.

Given this scenario, the majority of those interviewed - 65% globally and 56% of Spanish executives - expect to increase their cybersecurity budgets in 2023. "70% understand that their cybersecurity position has improved, and this is largely due to the increases in the budget and the collaboration of the management as a whole", says Jesús Romero, partner in charge of Business Security Solutions at PwC.

Despite this increase in cyberattacks in the last two years, only 40% believe that they have fully protected their most critical areas. In Spain, the risks that have received the most attention are those associated with remote work and customer digitization processes, ahead of those related to cloud environments.

"Much remains to be done. Only 3% of the CISOs interviewed acknowledge having optimized the five NIST capabilities: identify, protect, detect, respond and recover," says Romero.

The managers also comment on which attacks they believe will increase significantly in the coming year. The ranking is led by attacks against employees' emails (33%), followed by ransomware (32%) and those directed at the interfaces used to manage cloud services (31%).

For their part, Spanish managers expect, above all, an increase in hacking and data theft (40%), followed by ransomware (41%).

Faced with these challenges, Romero emphasizes the importance of "continuing to increase investment in security and awareness, and advancing in the involvement of the CEO and senior management, which must be aligned with the CISO. It is a transcendental issue," he says.

"There is no doubt that investment has increased due to a greater awareness in the organization of cyber risks and their consequences," agrees Esther Mateo, general director of Security, Procedures and Corporate Systems of Adif. The board explains that it reports to Adif's board of directors and that cybersecurity is a priority on its agenda.

For his part, Sergio Fidalgo, group chief security officer of BBVA, highlights the great exposure that the financial sector has, which is facing "an asymmetric struggle because the core business of criminal organizations is to harm us and we can only dedicate a part of our resources to protect ourselves," he says. In addition, he mentions the high regulation and digital maturity as noteworthy elements when analyzing cybersecurity in this sector. "At BBVA we have a concept of embedded security, it is implicit in our platform," he points out.

Fidalgo underlines the "high awareness" at BBVA. "The board of directors has a cybertechnology and cybersecurity committee where the president and four directors are, and where I, as CIO, report monthly. The level of knowledge, awareness and risk management is very high," he says.

Esther Mateo explains that her cybersecurity priorities are IT/OT convergence and the digitization of the supply chain. In addition, she mentions the importance of promoting a cybersecurity culture project to "raise awareness among employees and third parties, so that we have a better shield." And she adds: "There is a greater possibility of containment by improving the culture of cybersecurity and strengthening the supply chain because no matter how much effort we make, it will not be enough if the chain is not robust."

Sergio Fidalgo explains that his strategy is "to accompany the bank's digital transformation, increase collaboration at all levels and continue to raise awareness among employees, customers and society, because people are the weakest link and we must turn them into the strongest shield ".

Both agree that one of the biggest challenges is the recruitment and retention of qualified professionals. "It's one of the dramas of the cybersecurity industry," says Fidalgo. Mateo adds that Adif deals with the added problem of not being able to compete in salaries in a context of rising salaries.

"Initiatives such as the establishment of global strategic risk management programs, the deployment of effective resilience schemes and the joint work of senior management must be addressed", concludes Jesús Romero.