As bad actors continue to hone their skills and governments keep raising the penalty for getting breached, large organizations across the globe seem to be doing little to mitigate the risks associated with cybercrime – despite knowing better for years.
In an apparently encouraging development for businesses, risk management experts last year showed how EU companies were using the General Data Protection Regulation (GDPR) as a catalyst to up their game in cyber risk management.
More recently, the same group conducted a similar study – this time globally – to see if senior executives at large companies have met their promise to adopt a more comprehensive approach to cyber resilience (risk prevention, response, mitigation, etc.). Judging by the results, businesses still have a lot to do – and quite a bit of money to invest – if they are going to keep hackers at bay.
“A top risk management priority”
A new global survey by insurance brokers at Marsh reveals that few organizations can manage the risk of a cyber-attack – this, even though high-ranking executives at these organizations view cybersecurity as “a top risk management priority.”
Marsh polled 1,300 senior executives at organizations across the globe. It found that two thirds ranked cybersecurity among their organizations’ top five risk-management priorities, while 75% identified “business interruption” as the cyber loss scenario that could most affect their bottom line. Many also cited “breach of customer information” as their no. 1 fear.
It would follow that these executives have taken steps to invest heavily in protecting their company from breaches looking ahead to 2018. Yet, somehow, they haven’t.
“Despite this growing awareness and rising concern,” the report reads, “only 19% of respondents said they are highly confident in their organization’s ability to mitigate and respond to a cyber event. Moreover, only 30% said they have developed a plan to respond to cyber-attacks.”
Less than half said their organization estimates financial losses from a potential breach. Of those that do, only 11% make hard economic estimates.
“Such calculations are a key step in helping boards and others develop strategic plans and investment decisions, including those related to cyber insurance purchase,” the report notes.
Despite mounting fears that any organization can show up on cybercrooks’ radar, things haven’t changed much in leaders’ mindsets since 2016.
A similar survey conducted by Bitdefender almost two years ago showed that nine in 10 IT decision makers perceived IT security as a top priority for their companies, yet only two-thirds agreed their IT security budget was sufficient. From the total IT budget, cloud security spending greatly surpassed (by 48%) the amount spent on IT security in general.
The same research uncovered that 34% of companies had been breached in the previous 12 months, while 74% of IT decision makers didn’t even know how the company was breached.
Whose responsibility is it?
Marsh also found that responsibility for cyber risk management remains primarily with the IT department. Other stakeholders across the enterprise are inconsistently involved in cybersecurity matters, respondents said.
IT is typically also the owner and decision-maker for cyber risk management, respondents noted. Just 37% cited the president/CEO or the board of directors, and 32% named a department whose main function was actually risk management.
Perhaps, then, it is not so strange that threat intelligence analysts are urging information security officers (CIOs and CISOs) to have more face time with their executive in-chief.
One thing that stands out from most (if not all) studies assessing the risk of cybercrime in the 21st century is that leaders talk the talk but don’t always walk the walk.
Harsh penalties face those caught not complying with local laws starting this year, and there’s no shortage of disastrous precedents (think Equifax) to help speed along the decision to invest more in security.
So, it begs the question: how many more breaches are needed to persuade senior executives to get cybersecurity off the tops of their minds, and onto the top of their organizations’ priority lists?