Are Swiss companies prepared for the challenges of cyber security?

While the majority of internationally oriented companies assess the risk of cyber threats as high, domestically-oriented Swiss businesses generally rate these threats as low. Underestimating cyber security threats bears great risks. The study shows that businesses need to improve their cyber intelligence and response capabilities. Companies also need to take a more strategic view and thus advance cyber security into a measured and managed discipline with proper executive oversight.

The first study on cyber security conducted by the professional services firm Deloitte in Switzerland shows that businesses, in particular those that are primarily focused on the Swiss market, tend to underestimate cyber threats (cf. Figure 1). Notably, only one third of the companies interviewed see cyber security as a “must have” of strategic importance.

Root causes

The reasons for underrating cyber risks are varied but can be traced back to the fact that security is invisible and intangible, as Mark Carter, Deloitte’s Lead Partner for Security & Resilience in Switzerland, explains: “If poor security made noise, more companies would be alarmed. But unfortunately this is not the case.” In recent years, Deloitte has been increasingly consulted after major cyber incidents in order to restore normal operations. “Companies are always surprised by how they missed early warning signs or are unable to reconstruct incidents due to incomplete log data”, Carter comments.

Moving from blindness to awareness

The interviewees described this problem as a “vicious cycle of blindness”: Their companies are unaware of cyber- attacks because they do not have the right tools to observe them. As a result, they do not invest in capabilities that allow them to better prepare for such threats. Historically, this cycle of blindness has only been broken when leaders could seize the opportunity to transform their companies’ security. As a silver lining, the study shows that this trend is changing and investments in cyber intelligence capabilities are among the top priority for the coming years.

Challenges to mature cyber security

More than 80% of the interviewees responded that their companies are “not yet” doing enough to protect their assets against cyber-attacks. Many companies find it difficult to measure cyber security and to decide what level of cyber capabilities they require. Security investment decisions are therefore primarily driven by tactical considerations. A final barrier to build mature cyber capabilities is the common misperception that cyber security is an IT problem. This view fails to acknowledge the many non-IT facets of cyber security such as attacks against corporate brands, legal and regulatory requirements or corporate fraud.

“Companies have to realise that C-suite leadership is essential to manage all facets of cyber security” says Mark Carter. The majority of interviewees confirmed this point but less than half of all companies have established the necessary executive support.

Outlook

While challenges to mature cyber security persist, Swiss companies are making significant progress. More and more, dedicated governance committees are being established that manage cyber security holistically and across organisational silos. The efforts to better observe attacks and measure cyber capabilities are signs of a maturing discipline. These are encouraging developments at a time when cyber-attacks continue to shake private and public organizations.

About the Deloitte report “Cyber Security in Switzerland – Finding the balance between hype and complacency”

Deloitte interviewed 17 Chief Information Security Officers (CISOs) and Heads of Security Engineering or Operations from a cross section of industries to understand how Swiss-based companies prepare for and respond to cyber threats. The interviews were conducted between October 2013 and January 2014. The report is based on the interview results and on Deloitte’s practitioners’ experience.

About Deloitte in Switzerland

Deloitte is a leading accounting and consulting company in Switzerland and provides industry-specific services in the areas of audit, tax, consulting and corporate finance. With approximately 1,100 employees at six locations in Basel, Berne, Geneva, Lausanne, Lugano and Zurich (headquarters), Deloitte serves companies and institutions of all legal forms and sizes in all industry sectors. Deloitte AG is a subsidiary of Deloitte LLP, the UK member firm of Deloitte Touche Tohmatsu Limited (DTTL). DTTL member firms comprise of approximately 200,000 employees in more than 150 countries around the world.

Note to editors

In this press release references to Deloitte are references to Deloitte AG, a subsidiary of Deloitte LLP, which is the United Kingdom member firm of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, whose member firms are legally separate and independent entities. Please see www.deloitte.com/ch/about for a detailed description of the legal structure of DTTL and its member firms. Deloitte LLP and its subsidiaries are leading business advisers, providing audit, tax, consulting and corporate finance services through more than 12,600 exceptional people across the UK and Switzerland. Known as an employer of choice for innovative human resources programmes, it is dedicated to helping its clients and people excel. Deloitte AG is recognised by the Federal Audit Oversight Authority and the Swiss Financial Market Supervisory Authority. The information contained in this press release is correct at the time of going to press.