Market Study: Security Concerns Up—Mitigation Efforts Down

• Fewer organizations are taking steps to mitigate cyber security risks compared with a year ago, even though the level of concern about threats has increased during the pandemic, according to a survey of business leaders.
• Nearly one quarter of the respondents said their company had been a victim of a cyber event.
• Cyber security concerns appear to be driven by the impact of the pandemic on businesses’ operations and workforces.
• Enterprises should consider taking certain steps to help reduce risk during a time of ongoing uncertainty and remote workforces.

Fewer organizations than last year have taken steps to mitigate cyber security risks, even though the level of concern about these threats has increased during the COVID-19 pandemic. That’s according to a recent report from insurance firm The Travelers Companies.

For its 2020 Travelers Risk Index, the insurer commissioned research firm Hart Research to conduct an online survey of 1,216 business decision makers in July 2020. Less than half of the respondents (48%) said their organization has used intrusion detection software, undergone a cyber risk assessment on their company (47%) or vendors (37%), or written a business continuity plan that could help them respond to a cyber attack (42%).

More business leaders reported taking each of these precautions a year ago, the report said. This is especially concerning, it said, as nearly one quarter of the respondents said their company had been a victim of a cyber event. That was the highest number of attack victims since the survey began in 2014.

While broad economic uncertainty is the greatest concern for businesses overall, according to the report, cyber security threats are the top concern for large and medium-sized businesses. Cyber security threats was ranked first by companies in the healthcare, technology, nonprofit, and public sector industries.

The leading cyber security concerns among all respondents are suffering a security breach (52% of the respondents worry some or a great deal about this); unauthorized access to financial systems (50%); employees putting company information at risk (48%); becoming a cyber extortion/ransomware victim (47%); theft of the company’s customer or client records (47%); and suffering a cyber event due to employees working remotely (47%).

These concerns seem to be driven, at least in part, by the impact of the pandemic on businesses’ operations and workforces. The share of organizations reporting that at least 40% of their employees work outside of the office has more than doubled during the pandemic, from 26% to 59%.

As a result of this trend, organizations are finding that they need to manage a new set of cyber security threats.

With more workers relying on their ability to connect with company systems from remote locations, and many consumers preferring to make online transactions, it’s more important than ever for companies to do all they can to mitigate exposure to cyber threats, noted Tim Francis, enterprise cyber lead at Travelers.

By taking appropriate precautions and having a plan in place for when something goes wrong, organizations can put themselves in a position to seamlessly get back up and running after an attack, Francis says. This is vital for making sure employees will be able to access systems and maintain productivity, while also delivering a high level of service to customers, he says.

Travelers suggests several practices to help organizations minimize cyber security risk, at a time when more employees are working from home or other remote locations.

One is to deploy virtual private networks (VPNs), which the firm says are fundamental safeguards when users access an organization's network via their home Wi-Fi networks. VPNs allow for the encryption of data, which adds a level of protection.

Another is to implement multi-factor authentication (MFA) technology, which is designed to ensure that an authorized user provides more than one method of validating identity. This decreases the risk that an attacker can gain access to a network.

Organizations should also ensure that remote work practices comply with internal and external policies, laws, and regulations. Some job roles might not be suited to remote work because of the nature of the role, in which case enterprises should be direct with employees about remote work expectations and permissibility.

And companies should ensure that systems, software, and devices are updated with the latest security patches. That means tracking equipment that staffers will use in their home working environment and providing a way to update software security patches.

For their part, employees can also take steps to enhance cyber security. One is to prevent unauthorized users, including family members, from accessing company resources. Another is to use only company-authorized devices for remote work. Personal devices such as smartphones might not have the same level of security and privacy protections as company devices.

Finally, employees should dispose of company documents properly. This includes reviewing the employer’s records retention and management policies and information management policies, to ensure compliance.