PwC’s Global
Digital Trust
Insight
Survey 2023

Securing information is no longer just good practice, it’s a must for all organisations. PwC’s Global Digital Trust Insight Survey provides unique insights on how senior executives view cybersecurity within their organisation.

75%

of Irish respondents will increase their cybersecurity budget for 2023
83%

do not believe they have fully mitigated the risks of remote working
92%

of Irish organisations do not believe they have fully mitigated digitised supply chain risks
11%

of Irish senior executives say that their business has fully mitigated IoT device risks

The digitisation of global business is accelerating. Never before have organisations been as reliant on technology to do business. Digital platforms are empowering organisations to reach customers quicker, streamline workloads and communicate effectively while minimising overheads. Following the COVID-19 pandemic, organisations now find themselves in a position where they need to embrace alternative working models, including hybrid or fully remote working.

With this digital transformation comes a shift in the types of risks and challenges organisations face every day. As wider society’s dependence on technology increases and cyber threats continue to evolve, the approach to cybersecurity and IT risk management also needs to adapt. PwC’s Global Digital Trust Insight Survey 2023 identifies the top cybersecurity issues and challenges on the minds of senior executives across Ireland when it comes to securing their business. Hot topics include the prevalence of cybercriminals, cloud and outsourcing risks, operational technology (OT) and internet of things (IoT) security, and cyber and IT resilience.

Cybercrime will continue to escalate

Cybercrime is one of the main causes of both financial and reputational damage for organisations across the world, and is a growing concern for senior executives. The survey shows that prevention of cybercrime is one of the key focus areas for Irish businesses in 2023, with 75% of Irish respondents (global: 65%) indicating that there will be an increase in their cybersecurity budget for 2023. Being able to prevent cybercriminals from compromising data and systems is critical to establishing digital trust among customers and third parties.

In recent years, ransomware has evolved into one of the most prominent and devastating tools used by threat actors worldwide. Not surprisingly, ransomware continues to be on the mind of Irish businesses: ransomware was the second-most common response when senior executives were asked which types of attack they expect to see more frequently in 2023. In addition, business email compromise and account takeover, cloud interface and component attack, and third-party attacks are predicted to be significantly more persistent threats in the next 12 months.

Aside from new attack types, new attack targets are also constantly emerging. When asked which pathways adversaries might use to access their systems, over half of senior executives identified either operational technology (OT) or internet of things (IoT) devices as avenues they expect to significantly affect their business in 2023. Email, cloud-based pathways and third parties also ranked highly among the pathways expected to be commonly exploited in 2023.

With the threat landscape ever-changing, Irish senior executives and executives worldwide anticipate that cybercriminals, hacktivists and insider threats will be the top three threat actors facing their business in 2023. Given the current climate, senior executives recognise that geopolitics is becoming an increasingly important driver of cyber and IT risk and expect hacktivist activity to be more prevalent in an unstable geopolitical landscape. In the face of more sophisticated cybercriminals and hacktivists, maintaining digital trust against these threats is expected to be a challenge for organisations across the world.

"We expect cyber attacks to escalate in 2023 in Ireland and globally with ransomware not abating. Cybercrime is one of the main causes of financial and reputational damage for organisations across the world, and is a growing concern for businesses."

Leonard McAuliffe, Partner, PwC Ireland Cybersecurity Practice

Reliance on cloud and outsourcing brings increased cyber risk

In recent years, supply chain IT risks have become a focus area for regulators and organisations alike. The Central Bank of Ireland published its Cross-Industry Guidance on Outsourcing in 2021, which provides recommendations for organisations regarding the security of data within their supply chains, focusing on adhering to best-practice frameworks. Maintaining regulatory compliance is a crucial factor in establishing and retaining the digital trust of an organisation. With senior executives in Ireland identifying increased regulatory scrutiny as one of the top five impacts on their business since 2020, organisations are acknowledging the growing role of regulators in how operations are conducted.

Cloud service providers (CSPs) form an integral part of the supply chain of many modern businesses. More and more Irish organisations are adopting cloud-based models and solutions, with this reliance on third-party service providers leading to a more complex cybersecurity risk profile. According to the survey, senior executives believe that their business’ exposure to cyberattacks due to increased digitisation (including migration to the cloud) ranks as the greatest single impact their business has experienced since 2020. This is reflective of an expedited digital journey imposed on many organisations as a result of the COVID-19 pandemic. Rated by Irish organisations as a top three pathway for threat actors to access their systems, outsourcing to third-party service providers has emerged as a focal point for businesses as they seek to mitigate their cyber and IT risk exposure.

Cloud platforms are essential in driving business growth. However, with the accelerated adoption of cloud, a range of risks come with the shift towards a reliance on cloud. Notably, over a quarter of senior executives expect exploits of cloud component services to increase in 2023 compared to 2022, with almost a third of senior executives worldwide identifying attacks against cloud management interfaces as an attack type they expect to see more often in 2023. Among the possible consequences facing an organisation following an attack on, or breach of, their cloud environment are costly notifications to data owners, significant damage to the organisation’s reputation or even a class-action lawsuit. Worryingly, only 30% of senior executives agreed that their organisations have fully mitigated the cybersecurity risks associated with accelerated cloud adoption in 2022 (global: 35%).

OT and IoT emerging as likely attack pathways

Systems and devices are becoming increasingly interconnected as businesses progress their digital transformation. The security of OT and IoT devices has grown into an area of focus for cybersecurity and IT risk management, particularly for providers of critical infrastructure. The role that critical infrastructure plays in society means that its security is paramount. Having confidence that these systems are safeguarded from threats is vitally important for building digital trust.

The digitisation of organisations, which includes the convergence of OT and IT, was rated as the top impact experienced by organisations since 2020. Yet, only 14% of organisations (both globally and in Ireland) believed they had fully mitigated the cybersecurity risks associated with OT in the past 12 months. Moreover, only 11% of Irish senior executives feel that their business has fully mitigated the risk associated with an increased reliance on IoT devices (global: 15%).

With a quarter of surveyed senior executives anticipating that OT and IoT systems will be used as a pathway for threat actors to gain access to their organisations’ networks more frequently in 2023, OT and IoT attacks were rated as one of the top ten attack types expected to increase over the next 12 months. Strengthening the coordination between cybersecurity and OT teams and between IT and security operations teams were ranked by senior executives as being among the top ten priorities for their organisations as a driver of cybersecurity change in the near future. In spite of this, less than half (47%) of Irish organisations agreed that their OT and IT engineering teams worked more collaboratively now compared to 12 months ago. With the European Parliament expected to release NIS-2, a revision of its NIS Directive, in 2023, OT and IoT security is evolving into a focus area for regulators and operators of essential services. Maintaining regulatory compliance is a fundamental step for businesses looking to protect the digital trust of their customer base.

Preparing for an incident—cyber and IT resilience

Resilience means being able to keep your business running after an incident occurs. The survey reveals which scenarios Irish businesses are actively preparing for that could unfold over the next 12 to 24 months. Global recession, commodity market volatility (including the gas, oil and grain markets) and a catastrophic cyber attack have been identified as the top three priorities for Irish senior executives when planning resilience strategies. Preparing robust IT and cyber resilience plans can help organisations reduce financial losses after an incident, meet regulatory reporting requirements and protect the business’ brand, reputation and digital trust.

The survey indicates that less than half of Irish respondents (44%) formally coordinate business continuity, disaster recovery, crisis management, incident response and threat intelligence processes (global: 52%). Moreover, just 42% of Irish organisations (global: 62%) develop a broad understanding of the cyber risks they face across the entire business and how to continue operations amid these risks. Many organisations still take a narrow view of incident response planning, preparing for individual risk scenarios instead of enterprise-wide resilience strategies.

69% of Irish senior executives are taking steps to anticipate incidents that may occur by embedding resilience capabilities within their business to withstand disruption (global: 53%). 31% of senior executives indicated that their business recovers reactively, invoking plans after an incident and focusing on recovery after failure or the incident. Pre-empting disruption enables businesses to respond as one team with defined responsibilities, contain the incident and recover quicker. Further, being proactive in detecting potential incidents can help prevent damage to an organisation’s well-earned trust in the first place, helping security teams eradicate the threat before it becomes embedded.

During an incident, cross-team communication and activities play a critical role in limiting the potential damage caused to the business. Results from the survey indicate that organisations which promote an integrated, agile operating model that can respond to a diverse set of disruptive events were in the minority (47%). That figure stood at just 39% among Irish respondents. Ensuring that IT and cybersecurity teams are prepared to handle any type of incident that may arise is vital.

"Ensuring that IT and cybersecurity teams are prepared to handle any type of incident is vital, with cross-collaboration being critical. However, the survey shows that just 39% of Irish organisations promote an integrated and agile operation model that can respond to a diverse set of disruptive events"

Leonard McAuliffe, Partner, PwC Ireland Cybersecurity Practice

The key actions to take now

Understand your risk landscape

Understanding the threats facing your business is a crucial step in implementing a cybersecurity programme.

Mitigate the risks of new attack surfaces

As businesses increasingly rely on third-party outsourcing, such partners must be regularly risk re-assessed.

Cybersecurity awareness

Build cyber awareness to ensure that all employees understand the implications of their online activities.

Detect, defend, recover

Prepare your teams to act in unison in the event of a cyber breach, even if the likelihood seems remote.

Available: C-suite playbook on cybersecurity and privacy

Sign up to get the full playbook to access more of the latest findings and what lies ahead for 2023.

Access the full report

See you how stack up against your peers — right now

Leverage our cybersecurity and privacy benchmarking tool to gain real-time insights on how your organisation is performing.

Take the survey

We are here to help you

As leaders in cybersecurity, privacy, and risk and governance services, we are here to support your organisation’s digital transformation. Our network of experts are ready to help you plan strategic investment in cybersecurity, protect your organisation from cybercrime and build resilience. If you have a question about the security of your business, contact us today.