While it is encouraging that businesses are increasingly aware of cybersecurity risks, a shockingly low percentage of them are implementing risk management strategies to cover the eventuality.
Two thirds of senior executives globally placed cybersecurity among their top five risk management priorities, with a towering 75 per cent ranking cyber related business interruptions as having the greatest potential impact on their organisation.
Despite this widespread concern just 19 per cent expressed high confidence in their mitigation and response capabilities when faced with cyber threats. Perhaps more worryingly, the research from March reveals that just 30 per cent said they have a plan of action for when a cyberattack hits.
“Cyber risk is an escalating management priority as the use of technology in business increases and the threat environment gets more complex,” said John Drzik, President, Global Risk and Digital, Marsh. “It’s time for organisations to adopt a more comprehensive approach to cyber resilience, which engages the full executive team and spans risk prevention, response, mitigation and transfer.”
The general approach to risk management globally is further proved to be lacklustre by the finding that less than half of organisations make estimates of financial losses that could be caused by cyberattacks, an important step in the risk management process. Only 11 per cent actually make their estimates in economic terms.
“While technology is the foundation of any good cybersecurity strategy, companies can benefit from investing in non-technology solutions like risk management as part of a holistic approach,” said Matt Penarczyk, Vice President and Deputy General Counsel, Microsoft. “Through advanced technology, tools and training, for example, companies can better protect the data in their networks and be ready for the business interruptions and reputational risks associated with cyberattacks.”
There still appears to be a lack of understanding among organisations as to who is responsible for cyber risk management, with 70 per cent of senior executives still pointing at IT when asked who has ownership and decision making power over the matter. It is apparent that the IT department rug is still being used to sweep cybersecurity responsibility under.