Deloitte Study: Consumer Businesses Operate With a False Sense of Security About Cyber Risk
More than 80 percent of surveyed companies have not tested cyber response plans in the last year.
NEW YORK, June 21, 2017 — Consumer products companies, retailers and restaurant businesses may be operating with a false sense of security, according to a new Deloitte study, “Cyber Risk in Consumer Business.” The study captures input from more than 400 chief information officers, chief information security officers, chief technology officers and other senior executives about cyber risks and response plans affecting customer trust, payments, executive level engagement, human capital and intellectual property.
According to the study, more than three-quarters (76 percent) of consumer business executives report they are highly confident in their ability to respond to a cyber incident, yet many simultaneously face issues that critically impair their ability to do so. Among the findings:
- The majority of executives surveyed (82 percent) indicate their organization has not documented and tested cyber response plans involving business stakeholders within the past year.
- Less than half (46 percent) say their organization performs war games and threat simulations on a quarterly or semiannual basis.
- One-quarter (25 percent) report lack of cyber funding.
- Roughly 1 in 5 (21 percent) lack clarity on cyber mandates,
“In the study, we found that just 30 to 40 percent of companies currently investing in platforms such as consumer analytics, cloud integration, connected products and mobile payments have mature programs in place to address related risks,” said Barb Renner, vice chairman, Deloitte
The Deloitte study also found companies may underestimate the importance of consumer trust. In fact, when thinking about potential cyber incidents, consumer product companies surveyed seem to be primarily concerned with production disruptions (48 percent) and loss of intellectual property (42 percent), while significantly fewer — 16 percent — are concerned with tarnishing brand perceptions related to trust.
Many U.S. consumers already express heightened security concerns, with a startling number going so far as to delete mobile applications and avoid websites, which can threaten a critical engagement touchpoint for consumer businesses. Consider these findings:
- In 2016, roughly 80 percent of U.S. consumers felt they have lost control over how their personal information was being used by companies.
- Over the past 12 months, 31 percent of U.S. consumers deleted applications on their smartphone and 27 percent avoided specific websites to mitigate their own cyber risk (Deloitte,
SSIand JD Power; consumer privacy study presented at Next2017 Conference, May 9-10, 2017).
“News of breaches cannot only threaten sales of a particular product or brand, but can tarnish broader perceptions consumers have toward connected products in general — jeopardizing billions in future sales growth,” added Renner.
“A brand’s reputation impacts consumer trust, but it also dictates brand swagger,” said Chuck Saia, CEO of Deloitte Risk and Financial Advisory. “Brand trust starts at the top and leaders who continually earn the confidence of consumers can walk with that swagger. Taking brand reputation personally and setting the expectation that everyone in the organization does as well can help ensure potential risks to brand trust and reputation are quickly recognized and addressed.”
Another potential risk and reward scenario accompanies the interactions between customers and consumer businesses: connected products. These devices may increase the points of entry, opening the door to cyber breaches that can arise anywhere across the entire connected ecosystem, including consumers and third-party vendors.
Among executives surveyed, 32 percent are not confident their cyber risk management program is effective in maintaining their strategy to develop and market connected products. Their concerns don’t stop there. Changing regulatory requirements are the top concern of 74 percent of those who deploy connected products, followed by intellectual property theft (71 percent) and theft of consumer information (66 percent).
“People are often allured by the promise of connected products while many consumer products manufacturers, recognizing the potential for additional sources of revenue and market share, speed to bring them to market before competitors,” said Sean Peasley, Deloitte & Touche
Deloitte’s research revealed intellectual property as a top data concern among executives surveyed — second only to financial theft. More than 4 in 10 (42 percent) of food and beverage executives surveyed are concerned with cyber-criminals trying to steal proprietary product formulation information such as food recipes and product codes. This rising concern over IP theft is generally mirrored across consumers businesses — where IP theft has largely remained in the shadows of more familiar cybercrimes such as theft of credit cards and other personally identifiable information.
About the Study
The Cyber Risk in Consumer Business study surveyed 402 CIOs, CISOs, CTOs and other senior executives from organizations operating in the consumer products, retail, restaurant, food and beverage, connected products and agribusiness sectors. The survey was conducted in January and February 2017.
Deloitte provides industry-leading audit, consulting, tax and advisory services to many of the world’s most admired brands, including 80 percent of the Fortune 500 and more than 6,000 private and middle market companies. Our people work across more than 20 industry sectors to deliver measurable and lasting results that help reinforce public trust in our capital markets, inspire clients to make their most challenging business decisions with confidence, and help