Cyber Risk – Are CEOs Walking the Talk?

A new report produced by Marsh and Microsoft raises concerns that although senior management is highly aware of the escalating threat posed by cyber-attacks and massive data fraud, only 14% are “highly confident” of their organization’s ability to properly respond.

The report, based upon interviews with 1,300 risk professionals in 26 industry sectors, paints a portrait of corporate misunderstanding of a problem that evades a comprehensive solution. Nearly 20% of companies surveyed reported a malicious cyber-event in the past twelve months, with the costs associated with the breach averaging tens of millions of dollars.

Of principal concern to executives is the impact of an attack on business continuity and reputational risk. And although financially-motivated actors remain the greatest worry, an increase in attacks due to political considerations, particularly among nation-states, does not appear on management’s radar – only 6% of respondents believe malfeasance from the political arena is an area worthy to address in development of their defensive strategies. Sony may disagree...

Best-practices cyber-risk management mandates an enterprise-wide involvement in planning and responsibility with the Board and C-level executives leading the charge. Yet IT departments remain the sole owner of the problem in more than 70% of businesses, regardless of size. This disconnect further reinforces the need for a cross-functional approach to cyber risk governance.

So, what are companies focused on? Five areas stand out:

• Employee education and enhanced awareness of phishing,
• Improvement in patch management of network hardware and software,
• Penetration testing,
• Multi-factor authentication for remote access, and
• Encryption of the organization’s computers.

Despite business interruption being a top concern only 30% of those surveyed indicated existence of a cyber incident response plan, a key outline of the protocols and processes that organizations should follow in the event of a cyber-attack. Reasons for the lack of a formal plan include belief that existing security and firewalls were adequate, a lack of organizational expertise, creating a plan is not a management priority and that cyber risk was too small to justify the effort.

Most critical of all, the report reveals that fewer than 50% of respondents estimate financial losses from a potential cyber event, and of those that do, only 11% make estimates in economic terms. Such calculations are a key step in helping boards and others develop strategies and plan for investment in infrastructure, personnel and insurance to protect against cyber threats.

The report is essentially an indictment of management, the majority of whom pay lip-service to cyber-risk with little action undertaken. Whistling past the graveyard, as they say, is not a sound approach to the continuation of their businesses.

The entire report may be read here.

For further reading on this topic:

• Time For a Cybersecurity Audit?
• The Weak Link in Risk Management
• Ramsomware As A Service - The End of Innocence

The Docutrax Blog Library