A Deloitte survey of 400 executives in the consumer product segment indicates that businesses are confident they can fight cybercrime, but at the same time they are ill prepared to do so. Going by the numbers, business execs indeed have a ways to go to protect customer trust, intellectual property, payments and human capital.
Deloitte gathered input from chief information officers, chief information security officers and chief technology officers, all with IT security in their job description. However, their confidence about cybersecurity contrasts sharply with the actual ability to combat cybercrime.
For example, while 76 percent report they are “highly confident” in their ability to counter a cyber attack, many report blockages that impair their ability to do so.
- 82 percent say their company has not documented, let alone tested, cyber response plans involving business stakeholders within the past year.
- 46 percent say their organization performs threat simulations and war games on a semiannual basis, some quarterly
- As many as 25 percent report lack of funding
- 21 percent lack clarity on mandates, roles and responsibilities
‘One step forward, two steps back’
The survey unearthed that fewer than 4 in 10 companies have mature programs in place to address risks even though they invest heavily in platforms such as consumer analytics, cloud integration, mobile payments and connected products.
“Many of these technologies involve a broad set of data types that could expose consumers to much more than stolen credit cards and identity theft,” said Barb Renner, vice chairman, Deloitte LLP and U.S. consumer products leader. “Beyond customer data, the risks can range from protecting food safety in manufacturing and supply chains to intellectual property of new products and formulas.
“Allowing cyber response planning to lag can undercut the upside of investments in advanced digital technologies. It can become a one step forward, two steps back proposition to pursue advanced technologies without equal attention to cyber threats,” Renner added.
The customer’s always right
Even though many US consumers express increasing security concerns, at times even deleting apps on their devices for fear that companies pry into their personal lives, consumer product companies are primarily concerned with production disruptions (48 percent) and loss of intellectual property (42 percent). Only 16 percent of the surveyed companies are concerned with their brand perception getting tarnished as a result of potential cyber incidents. Two more important data points from the study seem to confirm it:
- In a 2016 survey, around 80 percent of US consumers admitted to feeling heightened anxiety over how their personal information is used by companies
- Sine June 2016, 31 percent of US consumers have deleted applications on their smartphones and 27 percent avoided specific websites to mitigate risk
“A brand’s reputation impacts consumer trust, but it also dictates brand swagger,” said Chuck Saia, CEO of Deloitte Risk and Financial Advisory. “Brand trust starts at the top and leaders who continually earn the confidence of consumers can walk with that swagger. Taking brand reputation personally and setting the expectation that everyone in the organization does as well can help ensure potential risks to brand trust and reputation are quickly recognized and addressed.”
Speed-to-market at the cost of security
Connected devices, which make up the Internet of Things, present another major problem for consumer businesses. More web-capable devices means more points of entry, which ultimately means more breach opportunities for cybercrooks.
“People are often allured by the promise of connected products while many consumer products manufacturers, recognizing the potential for additional sources of revenue and market share, speed to bring them to market before competitors,” said Sean Peasley, Deloitte & Touche LLP and cyber risk services consumer and industrial products leader.
“With less than one-third of companies believing their cyber risk management is effective when it comes to developing connected products, we believe the principle of ‘security by design’ can be an effective strategy. By embedding security considerations further upstream in the development process, connected products can be more resilient to cyber threats enabling them to not only make it to market, but stay on the market, potentially avoiding costly and time-consuming recalls and regulatory delays.”
According to the research note – Cyber Risk in Consumer Business – 32 percent are not confident in their cyber risk management program to develop and market secure connected products. For 74 percent of those who deploy connected devices, changing regulatory requirements are the top concern. Intellectual property theft tops the concerns at 71 percent of those surveyed. Theft of consumer information is the primary fear for 66 percent.
A key takeaway from the study is that companies are most concerned about losing their IP – proprietary product formulation information such as food recipes and product codes – to a competitor, with 42 percent of food and beverage executives surveyed expressing this concern. In fact, most consumer businesses are increasingly fearful about IP theft, amid ever more sophisticated cyber attacks, Deloitte reports.
While end users can take simple steps to mitigate risks – such as turn away from an app or service, and rely on endpoint-protection through anti-malware solutions – businesses must approach IT security more holistically, for example weighing out the pros and cons of rushing to market with a new product, simply to beat competitors to the punch.