Overly Complex IT Infrastructures Pose Security Risk

More than two-thirds of companies plan to increase their cyber budget in 2022 to better protect their systems and data, with more than half of executives fearing an increase in reportable attacks, new data from consulting firm PricewaterhouseCoopers shows.

Yet the major threat to companies is an avoidable level of unnecessary complexity that has led to increased risk, with three-quarters (75%) of executives agreeing that their organization's infrastructure has become too complex and nearly the same number agreeing that complexity has led to concerning levels of risk, according to the report. Overall, executives worry that complexity will primarily lead to breaches and financial losses but also hamper innovation and undermine operational resilience.

Organizations need to focus on simplifying their operations and infrastructure and determine whether complexity is necessary, according to PwC's new "2022 Global Digital Trends Insights" report.

"The consequences for an attack rise as our systems’ interdependencies grow more and more complex," the report states. "Critical infrastructures are especially vulnerable. And yet, many of the breaches we're seeing are still preventable with sound cyber practices and strong controls."

The Global Digital Trust Insights Survey annually polls more than 3,600 business, technology, and security executives, focusing on primarily (62%) large companies with at least $1 billion in revenue. While 69% of companies expect to increase their cyber budgets in 2022, and 26% expect an increase of 11% or more, many organization are not yet seeing a payoff from their investments in security.

More than half of companies have invested in cloud security, security awareness training, or endpoint security, but only roughly a third of those companies are achieving the benefits of those implementations, according to the "2022 Global Digital Trust Insights" report.

Part of the reason is the complexity of their environments, and often the technology, two PwC executives stated in a strategy brief published earlier this year.

"[C]omplexity has driven cyber risks and costs to dangerous new heights," Richard Horne, UK cybersecurity chair for PwC United Kingdom, and Sean Joyce, global and US cybersecurity and privacy leader for PwC United States, stated in a brief published in February. "The numbers of significant cyberattacks globally are increasing and include potentially devastating criminal 'ransomware' attacks and nation-state activity targeting government agencies, defense and high-tech systems by, for example, breaching IT network-management software and other suppliers.

Overall, the most mature organizations that are tackling complexity are 12 times more likely to have an engaged CEO, 11 times more likely to understand the risk that third parties pose to their cybersecurity and data privacy postures, and 10 times more likely to have a formal process for data trust practices, according to the report.

Yet only about a third of companies have taken steps to streamline their businesses and operations over the past two years, the survey found.

Simplify to Shrink the Attack Surface
Unsurprisingly, as the pandemic unfolded, 35% of companies have defined a new mix of remote, virtual, and on-site work, while 33% reorganized their business functions and 32% consolidated their technology vendors.

The companies evenly spread out their budgets for simplification across nine different initiatives, including an estimated 36% of budgets spread equally across "integrating controls and processes across disciplines," "reduc[ing] outdated or end-of-life technology," and "adopting a cloud-first technology strategy."

The report argues that companies should remove complexity and reduce their attack surface area to improve their security and reduce the cost of securing their systems and data.

Security operations and interdisciplinary teams should take another look at their own infrastructure to find complexity that has been left behind, according to the report. Find tech solutions that cannot work together and teams that are not collaborating on resilience or third-party risk management, failing to have a process in place for governing data, and not looping in the business teams when debating cybersecurity measures and technologies.

"Complexity isn’t bad in and of itself — often, it’s a by-product of business growth," the report states. "The costs of creating unnecessary complexity are not obvious, and it’s hard to create urgency around combatting complexity — that is, until an attack occurs."