microphone

Press releases

Is Business Ready for an Extinction-level Event? Deloitte Poll Reports Destructive Cyberattacks as Top Cyber Risk

New York, Jan. 28, 2020

Key takeaways

  • In an era of technological transformation and cyber everywhere, the attack surface is exponentially growing as cyber criminals attack operational systems and backup capabilities simultaneously in highly sophisticated ways leading to enterprise-wide destructive cyberattacks.
  • Majority of C-suite and executive poll respondents (64.6%) report that the growing threat of destructive cyberattacks is one of the top cyber risks at their organization.
  • It’s time for senior leadership to modernize risk management programs and solutions to keep pace with the current threats and technologies to incorporate new educational tools, technical solutions and business strategies.
    • A truly viable cyber resilience program can benefit an organization’s ability to recover, respond and be ready for a destructive cyberattack, where over a quarter of respondents (27.2%) believe a comprehensive approach to cyber resilience would most improve their organizations’ approach address these potential extinction-level events.

Why it matters
The well-publicized impact of the NotPetya attack, for example, spread beyond it’s intended target in seconds, and highlights how cyberattacks can compromise countless devices, and spread across global networks in seconds rendering servers and endpoints inoperable. From destructive malware to the growing threat of ransomware, attacks like these can propagate quickly and extensively impact an entire enterprise network.

Even organizations with fundamentally sound risk management programs will need to adapt to emerging and elusive cyber risks and the destructive impacts they present. Improving cyberattack readiness, response, and recovery will require a new approach to many traditional risk domains.

A Deloitte poll asked executives how prepared they are to withstand such an attack.

Why are these attacks so successful?


  • Poor access management: A fundamental issue that is pervasive and is often the open door through which a destructive attack will initiate and spread.
  • Weak cyber hygiene: Poor cyber hygiene has a direct impact on enterprise security and can be most commonly seen in the form of missing patches, misconfigurations of systems, partially deployed security tools, poor asset discovery and tracking.
  • Poor asset management: This can happen when organizations have no knowledge of specific applications, operating systems, or other device information, and the relationship between those applications.
  • Flat networks: Flat networks allow an adversary to easily maneuver to any system. Minimal segmentation and zoning allow for lateral movement, expanding the adversary’s reach into the enterprise.
  • Aggressive redundancy: Traditional recovery results in aggressive data redundancy for critical systems. When malware is introduced, these costly backup capabilities accelerate the spread across environments.
  • Limited business awareness: Leadership may still be operating under the assumption that the time, money and effort put into traditional disaster recovery programs are going to protect them in a destructive malware scenario. They need to be aware of the gaps and refocus efforts on these emerging threats.

Understanding your organization’s attack surface, and what implications a destructive cyberattack may have are important, but what is critical is to avoid ‘analysis paralysis’ and move quickly on deploying the proper technical solutions, like the cyber recovery vault, educational tools and business strategies. Senior leadership and boards need to get a grasp of what their traditional disaster recovery plan provides, what it does not provide, and how an attack might play out. When boards are made aware of the risk, these capabilities are often prioritized and quickly implemented.

—Pete Renneker, technical resilience leader in cyber risk services and a managing director at Deloitte & Touche LLP

Physical and traditional outages are often measured in hours or days. Whereas destructive attacks are often measured in weeks or months, which can be very difficult to recover from. To be successful, you have to have strong agile capabilities and leaders on the ground who can address the risks and interact effectively in the event of a large-scale incident.

—Kieran Norton, infrastructure security leader in cyber risk services and principal at Deloitte & Touche LLP

Media contacts:

Nicole Hockin
Public Relations
Deloitte & Touche LLP
+1 303 305 3074

Clare Milcinovic
Public Relations
Deloitte Services LP
+1 212 436 3457

Did you find this useful?