Deloitte Study: Consumer Businesses Operate With a False Sense of Security About Cyber Risk
Monday, June 26th, 2017
Consumer products companies, retailers and restaurant businesses may be operating with a false sense of security, according to a new Deloitte study, "Cyber Risk in Consumer Business." The study captures input from more than 400 chief information officers, chief information security officers, chief technology officers and other senior executives about cyber risks and response plans affecting customer trust, payments, executive level engagement, human capital and intellectual property.
According to the study, more than three-quarters (76 percent) of consumer business executives report they are highly confident in their ability to respond to a cyber incident, yet many simultaneously face issues that critically impair their ability to do so. Among the findings:
-
The majority of executives surveyed (82 percent) indicate their organization has not documented and tested cyber response plans involving business stakeholders within the past year.
-
Less than half (46 percent) say their organization performs war games and threat simulations on a quarterly or semiannual basis.
-
One quarter (25 percent) report lack of cyber funding.
-
Roughly 1 in 5 (21 percent) lack clarity on cyber mandates, roles and responsibilities.
"In the study, we found that just 30 to 40 percent of companies currently investing in platforms such as consumer analytics, cloud integration, connected products and mobile payments have mature programs in place to address related risks," said Barb Renner, vice chairman, Deloitte LLP and U.S. consumer products leader. "Many of these technologies involve a broad set of data types that could expose consumers to much more than stolen credit cards and identity theft. Beyond customer data, the risks can range from protecting food safety in manufacturing and supply chains to intellectual property of new products and formulas. Allowing cyber response planning to lag can undercut the upside of investments in advanced digital technologies. It can become a one step forward, two steps back proposition to pursue advanced technologies without equal attention to cyber threats."
The Deloitte study also found companies may underestimate the importance of consumer trust. In fact, when thinking about potential cyber incidents, consumer product companies surveyed seem to be primarily concerned with production disruptions (48 percent) and loss of intellectual property (42 percent), while significantly fewer — 16 percent — are concerned with tarnishing brand perceptions related to trust.
Many U.S. consumers already express heightened security concerns, with a startling number going so far as to delete mobile applications and avoid websites, which can threaten a critical engagement touchpoint for consumer businesses. Consider these findings:
-
In 2016, roughly 80 percent of U.S. consumers felt they have lost control over how their personal information was being used by companies.
-
Over the past 12 months, 31 percent of U.S. consumers deleted applications on their smartphone and 27 percent avoided specific websites to mitigate their own cyber risk (Deloitte, SSI and JD Power; consumer privacy study presented at Next2017 Conference, May 9-10, 2017).
"News of breaches cannot only threaten sales of a particular product or brand, but can tarnish broader perceptions consumers have toward connected products in general — jeopardizing billions in future sales growth," added Renner.
"A brand's reputation impacts consumer trust, but it also dictates brand swagger," said Chuck Saia, CEO of Deloitte Risk and Financial Advisory. "Brand trust starts at the top and leaders who continually earn the confidence of consumers can walk with that swagger. Taking brand reputation personally and setting the expectation that everyone in the organization does as well can help ensure potential risks to brand trust and reputation are quickly recognized and addressed."
Another potential risk and reward scenario accompanies the interactions between customers and consumer businesses: connected products. These devices may increase the points of entry, opening the door to cyber breaches that can arise anywhere across the entire connected ecosystem, including consumers and third-party vendors.
Among executives surveyed, 32 percent are not confident their cyber risk management program is effective in maintaining their strategy to develop and market connected products. Their concerns don't stop there. Changing regulatory requirements are the top concern of 74 percent of those who deploy connected products, followed by intellectual property theft (71 percent) and theft of consumer information (66 percent).
"People are often allured by the promise of connected products while many consumer products manufacturers, recognizing the potential for additional sources of revenue and market share, speed to bring them to market before competitors," said Sean Peasley, Deloitte & Touche LLP and cyber risk services consumer and industrial products leader. "With less than one-third of companies believing their cyber risk management is effective when it comes to developing connected products, we believe the principle of 'security by design' can be an effective strategy. By embedding security considerations further upstream in the development process, connected products can be more resilient to cyber threats enabling them to not only make it to market, but stay on the market, potentially avoiding costly and time-consuming recalls and regulatory delays."
Deloitte's research revealed intellectual property as a top data concern among executives surveyed — second only to financial theft. More than 4 in 10 (42 percent) of food and beverage executives surveyed are concerned with cyber-criminals trying to steal proprietary product formulation information such as food recipes and product codes. This rising concern over IP theft is generally mirrored across consumers businesses — where IP theft has largely remained in the shadows of more familiar cybercrimes such as theft of credit cards and other personally identifiable information.