Cyber risk mitigation lags behind awareness: SurveyReprints
There is a gap between enterprises’ perception of cyber threats and their ability to cope with them, according to a report issued Thursday by Marsh L.L.C. and Microsoft Corp.
While 20% of 1,312 respondents in the Marsh-Microsoft worldwide cyber perception survey said their organizations had been a victim of a successful cyber attack within the past 12 months, and 40% estimated their worst-case cyber loss scenario at $50 million or above, only 30% said they had developed a plan to respond to cyber attacks.
Moreover, only 19% said they are highly confident in their organizations’ ability to mitigate and respond to a cyber attack.
Cyber risk, the global survey showed, “is at the forefront of the corporate risk register,” but management strategy in approaching it is lagging behind, said John Drzik, president of global risk and digital for Marsh in New York.
“We don’t necessarily see organizations as prepared as they need to be, given the scale and importance of the risk,” Mr. Drzik added.
This is against the backdrop of growing cyber exposure. Citing research figures from Stamford, Connecticut-based Gartner Inc. Mr. Drzik said that while there are now 8.5 billion internet of things devices in use, this number is expected to rise to 20 billion by 2020.
In addition, “There’s new threat sources,” Mr. Drzik said, noting hacktivist groups and state-sponsored cyber attacks.
There is also more technology in use. “Beyond the threat actors increasing, cyber exposure is growing for companies. Businesses are increasingly dependent on technology” and will become more so, Mr. Drzik said. “As a result, their attack surfaces are going to widen.”
The threat is not only growing but shifting as well.
Thomas Reagan, cyber practice leader for Marsh in New York, noted that 75% of respondents said business interruption is seen as having the greatest potential impact from a cyber threat event.
Business interruption “is now perceived to be more impactful than data breach,” which was cited by 55% of respondents.
“This is a real shift,” Mr. Reagan said. “This is moving from a problem of ‘how do we protect our customers and customers data?’ to ‘how do we keep the lights on and functioning inside the organization?’”
The threat of wider impact seems to be getting greater attention, he said.
“I think that heightens the sense of urgency inside the firm in thinking about how do they respond to cyber events,” Mr. Reagan said.
The report also showed that while companies are getting better about spreading around responsibility for cyber security, much of the function is still heavily siloed despite experts’ recommendations to the contrary.
Fully 70% of respondents said their information technology departments are the “primary owner and decision-maker” in the company’s cyber security structure.
This runs counter to advice that suggests bringing in more players for a cross-disciplinary, holistic approach.
“We do think it’s responsible to look at cyber security as a team sport,” said Matt Penarczyk, vice president and deputy general counsel for Microsoft in Seattle.
He also advocated cloud technology.
“The cloud itself can be a risk management tool,” Mr. Penarczyk said, because firms “can cost-effectively shift certain of their responsibilities to their cloud provider.”
“We look at cloud computing as one element of a cyber security strategy,” Mr. Penarczyk said.
The Marsh-Microsoft survey took place during July and August 2017.