Cyber Security Outlook 2023

In this year’s annual Digital Trust Insights research we reveal the top cyber security trends for UK organisations in 2023. Read the report to find out:

What are the biggest cyber security threats in 2023?
How does the acceleration in digital transformation and cloud adoption impact cyber risk exposure for the coming year?
How well are UK organisations identifying and mitigating these cyber risks?
Why investing in people and technology is key for successful cyber transformation

Explore the key findings from the UK research Read the summary of the global research

Cloud security tops 2023 cyber threats

Ransomware and business email compromise attacks predicted to increase too

Cloud related threats top the list of cyber security concerns that UK senior executives say will have a significant impact on their organisations in 2023, according to our annual Digital Trust Insights survey.

Some 39% of UK senior executives say they expect cloud-based threat vectors to significantly affect their organisation in 2023 compared to 2022 - more so than cyber threats from other sources such as laptop/desktop endpoints, web applications and software supply chain.

A third (33%) of UK senior executives also say they expect attacks against cloud management interfaces to increase significantly in 2023, while 20% say they expect attacks on Industrial Internet of Things (IIoT) and operational technology (OT) to significantly increase in the next 12 months.

However, long-standing and familiar cyber threats remain on the horizon in 2023, highlighting the challenge facing cyber security leaders - just over a quarter (27%) of UK organisations say they expect business email compromise and ‘hack and leak’ attacks to significantly increase in 2023, and 24% say they expect ransomware attacks to significantly increase.

The good news for CISOs charged with addressing and mitigating these risks is that cyber security budgets will rise for many in 2023, with 59% of UK respondents saying they expect their budgets to increase.

“There has been a big push within the FCA to move to cloud and that underpins the business strategy of being more innovative and adaptive. It gives us more capacity to change and improve more quickly, and the cyber strategy has had to adapt around that accordingly. So a lot of the cyber security strategy is around a multi-platform but cloud-based environment that can be adaptive and innovative and can be secured appropriately.”

_{Alister Shepherd, CISO, Financial Conduct Authority}

How secure is your digital transformation?

In part the increase in cloud-based threats is a result of some of the potential cyber risks associated with digital transformation. An overwhelming majority - 90% - of UK senior executives in our survey ranked the increased exposure to cyber risk due to accelerating digital transformation as the biggest cyber security challenge their organisation has experienced since 2020.

These digital transformation efforts - which include initiatives such as migration to cloud, moving to ecommerce and digital service delivery methods, the use of digital currencies and the convergence of IT and operational technology - are critical to future-proofing the business, unlocking value and creating sustainable growth.

Yet around two-thirds of UK senior executives say they have not fully mitigated the cyber risks associated with digital transformation:

64% have not fully mitigated the risks of cloud adoption
68% have not fully mitigated the risks of increased digitisation of delivery mechanisms to customers
64% have not fully mitigated the risks of increased digitisation of the supply chain

This is despite the potential costs and reputational damage of a cyber attack or data breach, with just over a quarter (27%) of global CFOs in our survey saying they have experienced a data breach in the past three years that cost their organisation more than $1 million.

Cyber attack is now the biggest organisational risk scenario

But awareness of cyber risk to organisational resilience grows

Our survey shows that the C-Suite is becoming more aware of how these complex cyber threats and the potentially damaging impact of them can pose a major risk to wider organisational resilience.

Just under half (48%) of UK organisations say a “catastrophic cyber attack” is the top risk scenario - ahead of global recession (45%) and resurgence of COVID-19 (43%) - that they are formally incorporating into their organisational resilience plans in 2023. That echoes the findings of our annual CEO Survey for 2022, where almost two-thirds (64%) of UK CEOs said they are extremely or very concerned about cyber attacks impacting their ability to sell products and services.

Top five scenarios formally incorporated into organisation’s resilience plans (Ranked index)

	United Kingdom
^{A catastrophic cyber attack}	^1st
^{Global recession}	^2nd
^{A resurgence of COVID-19 or a new health crisis}	^3rd
^{Inflationary environment}	^4th
^{Credit crunch / significantly reduced access to capital}	^5th

And while UK business leaders are understandably focused on the immediate threats of inflation, macroeconomic volatility and geopolitical conflict in the next 12 months, cyber security rises to the top of the list when they take a longer term view. In our 26th annual UK CEO Survey, a quarter of UK CEOs say they believe their business is extremely exposed or highly exposed to cyber risks over the next five years - ahead of inflation, macroeconomic volatility, climate change and geopolitical conflict.

Yet there is more work required to go beyond focusing on just high priority critical systems for cyber resilience. Our survey reveals, for example, that 43% of UK senior executives still focus on isolated risk scenarios and how to address recovery for that specific disruption, instead of a more effective approach that includes a broad understanding of risk the organisation faces and how to continue operations across simultaneous risks.

Current cyber resilience approach and capability

And 50% of UK senior executives also say they react to a disruption by invoking plans after an incident and focusing on recovery of business operations after a failure or incident, instead of taking a preventative and anticipatory approach that assumes incidents will occur, and embedding resilience capabilities to withstand disruption.

Fewer than half (47%) also say they formally coordinate and integrate business continuity, disaster recovery, crisis management, incident preparedness and response, and threat intelligence.

“The potentially destructive impact of cyber threats such as ransomware have significant implications for the wider resilience of whole organisations. Only by taking a more strategic approach to resilience across high impact and increasingly plausible threats can organisations protect what matters most to business survival, reputation and ultimately build trust.”

_{Bobbie Ramsden-Knowles, Crisis and Resilience Partner, PwC UK}

People and technology hold the key to cyber security transformation

3 critical factors for success in 2023

1. Leadership
2. Data analytics capabilities
3. Employee cyber security awareness

1. Leadership

Stronger leadership that drives cyber security throughout the organisation is the number one factor that will make the most difference to transforming cyber security in the next 12-18 months, according to UK senior executives.

This means the Board, CEO and other C-Suite executives speaking out about their commitment to cyber, and using their influence to drive sweeping changes and remove organisational barriers to C-Suite coordination.

2. Data analytics capabilities

Stronger data analytics capabilities on cyber and privacy activities are the second most important factor critical to successful cyber security transformation, according to UK senior executives. From using advanced analytics and AI to improve threat detection to identifying risk in supply chains and misconfigurations across cloud environments, data capabilities are key to making smarter cyber funding decisions with business goals and top risks in mind.

3. Employee cyber security awareness

Investing in both people and technology is key to bolstering cyber security defences and enabling the secure digital transformation necessary to innovate and create growth. In our UK CEO Survey just under half (46%) of business leaders say they are planning on increasing the human-led technology capabilities of teams in risk, while 40% also plan to increase their use of technology. And organisations must look to widen their cyber talent search beyond certifications and tech degrees. UK senior executives also say successful cyber security transformation depends upon having a cyber-savvy workforce where all non-cyber security employees understand the potential implications of their actions.

“The Board and C-Suite at the FCA fully understand the importance of cyber and their leadership and support has been fundamental in delivering the current approach to, and priority for, our work. That has to be the way. A few years ago it may have been the CISO selling it upwards whereas now you really need that leadership buy-in and support.”

_{Alister Shepherd, CISO, Financial Conduct Authority}

The PwC Global Digital Trust Insights Survey questioned more than 3,500 senior business and technology executives around the world in July and August 2022 - from CEOs and CFOs to CIOs and CISO - including 249 in the UK